Ontologies Classes Object Properties Data Properties Annotation Properties Individuals Datatypes Clouds

Individual: 'Process Lineage Analysis'

Types (1)

rdfs:label

  • "AMD64 Code Segment"

Usage (18)

rdfs:label

  • "ARM32 Code Segment"

Usage (18)

rdfs:label

  • "ASCII Domain Name"

Usage (18)

comment

  • "Information about what access permissions are granted to particular users for particular objects"

rdfs:label

  • "Access Control Configuration"

rdfs:seeAlso

  • http://dbpedia.org/resource/Access-control_list

Usage (18)

kb-abstract

  • "Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2019-07-001: Access Permission Modification - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-07-001: Access Permission Modification"

Usage (18)

altLabel

  • "Ticket"
  • "Token"

comment

  • "In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. Typically one may be asked to enter the access token (e.g. 40 random characters) rather than the usual password (it therefore should be kept secret just like a password)."

rdfs:label

  • "Access Token"

rdfs:seeAlso

  • http://dbpedia.org/resource/Access_token

Usage (18)

definition

  • "The process of temporarily disabling user accounts on a system or domain."

kb-article

  • "## How it works
    Management servers with enterprise policies for account management provide the ability to enable and disable account for given rules. The rules may include specific periods of time (eg. weekend, plant shutdown, leave periods), specific user types or groups, or individual users.

    ## Considerations
    * Local accounts caches vs centralized account management
    * Single Sign-on
    * Role based vs Attribute based systems

    ## Examples of account configuration stores
    * Directory Services
    * Active Directory
    * RADIUS
    * LDAP
    * Oracle User Account Management
    * JumpCloud"

rdfs:label

  • "Account Locking"

'date created'

d3fend-id

  • "D3-AL"

disables

kb-reference

Usage (18)

definition

  • "Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis."

kb-article

  • "## How it works
    Analysis of server certificates using active methods to detect if certificates have been misconfigured or spoofed by using elements of the certificate, certificate authorities and signatures.

    ### Certificate validity analysis
    This can be accomplished by verifying the digital signature on certificate.

    ### Certificate path analysis
    The client's browser can perform path verification to ensure that the server's certificate contains a valid trust anchor.

    ### Certificate configuration analysis
    Some browsers can be configured to implement the key-usage extensions contained certificates. This can help to prevent a certificate from being misused.

    ### Certificate revocation status analysis
    Using either Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) to determine the revocation status. OCSP Stapling, binding the status with the certificate, helps to mitigate potential delay in status verifications.

    ## Considerations
    * Management of the PKI across the enterprise typically requires automation to maintain scalability and flexibility
    * If the certificate authority, issuing the certificate, is compromised then all of the certificates issued by the CA are suspect
    * There may be delays associated with updates to certificates
    * Revoked certificates give the appearance of valid certificates until they are published to a trusted revocation service (OCSP or CRL)
    * The revocation service (OCSP or CRL) may be down during our connection and a browser will need to make a decision will need to be made about trusting the connection"

rdfs:label

  • "Active Certificate Analysis"

'date created'

d3fend-id

  • "D3-ACA"

kb-reference

Usage (18)

kb-abstract

  • "The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-08-002: Active Directory Dumping via NTDSUtil - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-08-002: Active Directory Dumping via NTDSUtil"

Usage (18)

definition

  • "Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline."

kb-article

  • "## How it works
    Network protocols such as RDP, IPMI, SSH, SNMP, VNC, MOSH, NX, TeamViewer, SPICE, PCoIP, and others are used by system administrators to remotely manage servers. Defenders monitor administrative network activity to determine if the use of remote protocols is malicious. Attackers can abuse administrative protocols and leverage them for initial access to various endpoints. For example, an attacker with valid credentials will remotely SSH or RDP into a server and attempt to blend in with existing traffic from system administrators. By monitoring the traffic activity, it is possible to detect when the protocols are behaving differently from a known baseline of system administration activity.

    ## Considerations
    * Administrative traffic can be encrypted, making network protocol analysis a challenge
    * False alarms can be mitigated by integration with inventory management systems"

rdfs:label

  • "Administrative Network Activity Analysis"

'date created'

analyzes

d3fend-id

  • "D3-ANAA"

kb-reference

Usage (18)

comment

  • "Administrative network traffic is network traffic related to the remote administration or control of hosts or devices through a standard remote administrative protocol. Remote shells, terminals, RDP, and VNC are examples of these protocols, which are typically only used by administrators."

rdfs:label

  • "Administrative Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Remote_administration

Usage (18)

rdfs:label

  • "Adobe PDF File 1.3"

may-contain

Usage (18)

kb-abstract

  • "Once a credential dumper like mimikatz runs, every user logged on since boot is potentially compromised, because the credentials were accessed via the memory of lsass.exe. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.

    The time field indicates the first and last time a system reported a user logged into a given system. This means that activity could be intermittent between the times given and should not be considered a duration."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2015-07-001: All Logins Since Last Boot - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2015-07-001: All Logins Since Last Boot"

Usage (18)

comment

  • "A program that gives a computer instructions that provide the user with tools to accomplish a task; "he has tried several different word processing applications". Distinct from system software that is intrinsically part of the operating system. An application can be made up of executable files, configuration files, shared libraries, etc."

rdfs:label

  • "Application"

rdfs:seeAlso

  • http://dbpedia.org/resource/Application_software
  • http://wordnet-rdf.princeton.edu/id/06582286-n

may-contain

uses

Usage (18)

comment

  • "Information used to configure the parameters and initial settings for an application."

rdfs:label

  • "Application Configuration"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/05739724-n

Usage (18)

comment

  • "A database used to hold application configuration data."

rdfs:label

  • "Application Configuration Database"

contains

Usage (18)

comment

  • "A database record holding information used to configure the parameters and initial settings for an application."

rdfs:label

  • "Application Configuration Database Record"

Usage (18)

comment

  • "A file containing Information used to configure the parameters and initial settings for an application.. A plist file is an example of this type of file for macOS. Usually text-based."

rdfs:label

  • "Application Configuration File"

contains

Usage (18)

definition

  • "Modifying an application's configuration to reduce its attack surface."

kb-article

  • "## How it works
    Application configuration settings can be configured to limit the permissions on an application or disable certain vulnerable application features.

    Hardening an application's configuration involves analyzing not only the application but also the environment in which the application is run in for potential vulnerabilities."

rdfs:label

  • "Application Configuration Hardening"

d3fend-id

  • "D3-ACH"

hardens

kb-reference

Usage (18)

definition

  • "Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary."

kb-article

  • "## Technique Overview

    Exploits may, for example, rely on knowledge of addresses in a process's memory, they may alter memory contents, and they may cause a program to use instructions in a way that they were not intended. By, for example, including code that dynamically changes the memory address of data or code on each run, introducing logic to validating the memory contents before certain potentially dangerous flows are executed, or monitoring a program for unusual sequence of instructions, this makes it harder for an attacker to craft a working exploit."

rdfs:label

  • "Application Hardening"

synonym

  • "Process Hardening"

d3fend-id

  • "D3-AH"

enables

Usage (18)

comment

  • "An application process is an instance of an application computer program that is being executed."

rdfs:label

  • "Application Process"

rdfs:seeAlso

  • http://dbpedia.org/resource/Application_software

runs

Usage (18)

comment

  • "An archive file is a file that is composed of one or more computer files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compress files to use less storage space. Archive files often store directory structures, error detection and correction information, arbitrary comments, and sometimes use built-in encryption."

isDefinedBy

  • http://dbpedia.org/resource/Archive_file

rdfs:label

  • "Archive File"

Usage (18)

comment

  • "Audio input devices allow a user to send audio info to a computer for processing, recording, or carrying out commands. Devices such as microphones allow users to speak to the computer in order to record a voice message or navigate software. Aside from recording, audio input devices are also used with speech recognition software."

isDefinedBy

  • http://dbpedia.org/resource/Input_device#Voice_input_devices

rdfs:label

  • "Audio Input Device"

Usage (18)

comment

  • "A request-response comprising a user credential presentation to a system and a verification response."

rdfs:label

  • "Authentication"

rdfs:seeAlso

  • http://dbpedia.org/resource/Authentication
  • http://wordnet-rdf.princeton.edu/id/00155053-n

authenticates

may-create

originates-from

Usage (18)

definition

  • "Removing tokens or credentials from an authentication cache to prevent further user associated account accesses."

kb-article

  • "## How it works
    Applications can locally cache user authentication credentials for certain server connections. An application may attempt to use the cached credential for a connection. If the cached credentials exist then the user will not be typically prompted for new credentials.


    ## Considerations
    Are these cached credentials only on the local host? Can they be persisted to the remote server?

    ## Examples
    Windows Credential Management API"

rdfs:label

  • "Authentication Cache Invalidation"

d3fend-id

  • "D3-ANCI"

deletes

kb-reference

Usage (18)

definition

  • "Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile."

kb-article

  • "## How it works
    Authentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic.

    ### Actions
    As a result of the analysis, actions taken could include:

    * [Account Locking](/technique/d3f:AccountLocking)
    * Raising an alert

    ### Example data sources
    * Directory server logs
    * VPN Server logs
    * IDAM Capability logs
    * NAC logs
    * Authentication client logs
    * Kerberos network traffic
    * LDAP network traffic

    ## Considerations

    This technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met."

rdfs:label

  • "Authentication Event Thresholding"

'date created'

analyzes

d3fend-id

  • "D3-ANET"

kb-reference

Usage (18)

comment

  • "A log of authentication events."

rdfs:label

  • "Authentication Log"

rdfs:seeAlso

  • http://dbpedia.org/resource/Authorization
  • http://wordnet-rdf.princeton.edu/id/00155053-n

records

Usage (18)

comment

  • "An authentication service is a mechanism, analogous to the use of passwords on time-sharing systems, for the secure authentication of the identity of network clients by servers and vice versa, without presuming the operating system integrity of either (e.g., Kerberos)."

isDefinedBy

  • https://www.gartner.com/en/information-technology/glossary/authentication-service

rdfs:label

  • "Authentication Service"

rdfs:seeAlso

  • http://dbpedia.org/resource/Authentication

Usage (18)

comment

  • "Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer program"

isDefinedBy

  • http://dbpedia.org/resource/Authorization

rdfs:label

  • "Authorization"

authorizes

Usage (18)

definition

  • "Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile."

kb-article

  • "## How it works

    Authorization event data is collected to create a baseline user profile. Authorization events that deviate from the baseline and exceed a static or dynamic threshold are identified for further action. Authorization events can include successful and failed authorization attempts as well as events related to permissions including viewing, editing, deleting, creating files, databases etc.

    ## Considerations

    Depending on the complexity of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If malicious activity is not statistically different from benign activity, an alert threshold will not be met."

rdfs:label

  • "Authorization Event Thresholding"

'date created'

analyzes

d3fend-id

  • "D3-AZET"

kb-reference

Usage (18)

comment

  • "A log of authorization events."

rdfs:label

  • "Authorization Log"

rdfs:seeAlso

  • http://dbpedia.org/resource/Authorization
  • http://wordnet-rdf.princeton.edu/id/00155053-n

records

Usage (18)

kb-abstract

  • "The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.

    Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-01-002: Autorun Differences -"

kb-reference-of

kb-reference-title

  • "CAR-2013-01-002: Autorun Differences"

Usage (18)

rdfs:label

  • "BSD Process"

Usage (18)

rdfs:label

  • "Bash Script File"

Usage (18)

definition

  • "Using biological measures in order to authenticate a user."

rdfs:label

  • "Biometric Authentication"

authenticates

d3fend-id

  • "D3-BAN"

kb-reference

Usage (18)

altLabel

  • "Block Special File"

comment

  • "A block device (or block special file) provides buffered access to hardware devices, and provides some abstraction from their specifics.

    IEEE Std 1003.1-2017: A file that refers to a device. A block special file is normally distinguished from a character special file by providing access to the device in a manner such that the hardware characteristics of the device are not visible."

isDefinedBy

  • http://dbpedia.org/resource/Device_file#BLOCKDEV

rdfs:label

  • "Block Device"

rdfs:seeAlso

  • https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_79

contains

may-contain

Usage (18)

rdfs:label

  • "Book"

Usage (18)

altLabel

  • "Bootloader"

comment

  • "A bootloader is software that is responsible for booting a computer. When a computer is turned off, its software‍—‌including operating systems, application code, and data‍—‌remains stored on non-volatile memory. When the computer is powered on, it typically does not have an operating system or its loader in random-access memory (RAM). The computer first executes a relatively small program stored in read-only memory (ROM, and later EEPROM, NOR flash) along with some needed data, to initialize RAM (especially on x86 systems) to access the nonvolatile device (usually block device, eg NAND flash) or devices from which the operating system programs and data can be loaded into RAM."

isDefinedBy

  • http://dbpedia.org/resource/Bootloader

rdfs:label

  • "Boot Loader"

Usage (18)

comment

  • "A boot record [boot sector] is the sector of a persistent data storage device (e.g., hard disk, floppy disk, optical disc, etc.) which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware (e.g., the BIOS, Das U-Boot, etc.)."

rdfs:label

  • "Boot Sector"

rdfs:seeAlso

  • http://dbpedia.org/resource/Boot_sector

Usage (18)

definition

  • "Cryptographically authenticating the bootloader software before system boot."

rdfs:label

  • "Bootloader Authentication"

synonym

  • "Secure Boot"

authenticates

d3fend-id

  • "D3-BA"

kb-reference

Usage (18)

definition

  • "Broadcast isolation restricts the number of computers a host can contact on their LAN."

kb-article

  • "## How it works
    Software Defined Networking, or other network encapsulation technologies intercept host broadcast traffic then route it to a specified destination per a configured policy.

    This can be implemented within hypervisors, networking hardware (WAPs, switches, routers), or virutal hardware.

    ## Considerations
    This technique is highly dependent on network infrastructure and networking requirements."

rdfs:label

  • "Broadcast Domain Isolation"

synonym

  • "Network Segmentation"

d3fend-id

  • "D3-BDI"

filters

kb-reference

Usage (18)

comment

  • "A web browser (commonly referred to as a browser) is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI/URL) and may be a web page, image, video or other piece of content. Hyperlinks present in resources enable users easily to navigate their browsers to related resources. Although browsers are primarily intended to use the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems."

isDefinedBy

  • http://dbpedia.org/resource/Web_browser

rdfs:label

  • "Browser"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/13376000-n

may-contain

Usage (18)

comment

  • "A browser extension is a plug-in that extends the functionality of a web browser in some way. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS. Browser extensions can change the user interface of the web browser without directly affecting viewable content of a web page; for example, by adding a "toolbar.""

isDefinedBy

  • http://dbpedia.org/resource/Browser_extension

rdfs:label

  • "Browser Extension"

extends

Usage (18)

definition

  • "Analyzing sequences of bytes and determining if they likely represent malicious shellcode."

kb-article

  • "## How it works

    Bytes are analyzed as if they are machine code instructions, and such instructions that are a common component of known shellcode are noted, such as stack pivots, reads from a Memory Address Table, and system calls for functions that disable protections or execute code. For example, the x86 instruction `b0 0b: mov $11, %ax`, with no further alterations to the `%ax` register, followed by `cd 80: syscall` executes the system call `execve()` in the Linux kernel, which replaces the current process with another one specified -- this is a common action in shellcode, so this sequence would be flagged.

    This technique detects shellcode despite whether or not it would cause a buffer overflow in the target binary.

    If the sequence of bytes contains a sequence similar to that used in malicious shellcode, the entire byte sequence is flagged and a follow-on technique may be invoked.

    ## Considerations

    ### False Negatives
    If the shellcode instructions are far apart, simple implementations might not detect the shellcode.

    Due to the nature of assembly instructions not having a defined start or end, implementations which do not process all start sequences (for example, when they a find byte sequence of interest, continue scanning forwards from the end of it) might not detect the shellcode.

    This technique might not detect more complex or obfuscated instructions. For that purpose, Dynamic Analysis or Emulated File Analysis could assist by analyzing the actual instruction function.

    This technique may not detect self-modifying code. To make it harder for a process to modify itself, Process Segment Execution Prevention should be used, while noting its considerations.

    This technique might not detect malicious shellcode which reuses instructions in the target binary for malicious effect, as memory references in the presumed assembly code are not dereferenced. Dynamic Analysis and Emulated File Analysis, when set up properly to fork from the running target binary, might detect this. Process Segment Execution Prevention combined with Segment Address Offset Randomization frequently makes introduction of shellcode through overwriting a saved return pointer more difficult. Call stack depth analysis might detect excessive reuse of instructions in the target binary. Shadow Stack Frames might detect that a stack frame's return address has changed and Stack Frame Canary Verification might detect that the stack frame's return address was overwritten. Other heuristic methods might detect jump-oriented programming shellcode.

    With inserting code directly, that it is not a buffer overflow, and just some place where code is executed either to a file or a write-what-where, the buffer overflow mitigations do not help. Behavioral analysis could detect this, or proper access control could mitigate this.

    ### False Positives

    Byte sequences containing code that is never used as machine code are still analyzed and flagged for anomalies, and [eventually](http://mathforum.org/library/drmath/view/55871.html), it is likely that an attack sequence will arise from the sheer volume of bytes transmitted."

rdfs:label

  • "Byte Sequence Emulation"

synonym

  • "Shellcode Transmission Detection"

d3fend-id

  • "D3-BSE"

kb-reference

Usage (18)

comment

  • "In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or machine stack, and is often shortened to just "the stack". Although maintenance of the call stack is important for the proper functioning of most software, the details are normally hidden and automatic in high-level programming languages. Many computer instruction sets provide special instructions for manipulating stacks."

isDefinedBy

  • http://dbpedia.org/resource/Call_stack

rdfs:label

  • "Call Stack"

contains

Usage (18)

altLabel

  • "Public Key Certificate"

comment

  • "In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, t"

isDefinedBy

  • http://dbpedia.org/resource/Public_key_certificate

rdfs:label

  • "Certificate"

contains

Usage (18)

definition

  • "Requiring a digital certificate in order to authenticate a user."

rdfs:label

  • "Certificate-based Authentication"

d3fend-id

  • "D3-CBAN"

kb-reference

Usage (18)

definition

  • "Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs."

kb-article

  • "## How it works
    Certificate Analysis ensures that the data elements of the certificate are current and anchored in a known trust model. Certificate authorities, revocation lists, and third-party secure logs are used in the analysis. Analysis includes detection of server impersonation, phishing domains, and forged certificates.

    TLS certificates are designed to expire to ensure that the cryptographic keys are forced to be changed on a regular basis. The certificates in the trust path also expire and can cause a break in the trust chain. This means that even if a server certificate is updated correctly, intermediate certificates can expire and the trust chain is not maintained. This can cause services to become unavailable."

rdfs:label

  • "Certificate Analysis"

analyzes

d3fend-id

  • "D3-CA"

kb-reference

Usage (18)

comment

  • "A file containing a digital certificate. In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner."

isDefinedBy

  • http://dbpedia.org/resource/Public_key_certificate

rdfs:label

  • "Certificate File"

contains

Usage (18)

definition

  • "Persisting either a server's X509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections."

kb-article

  • "## How it works
    Pinning allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications.

    Pinning can take the form of certificate pinning or public key pinning.

    ## Forms of Pinning
    * Certificate Pinning
    Certificate Pinning (CP) allows for the client to verify the X509 certificate with a preloaded certificate. Typically, this is involves storing a hash of the certificate and using the stored hash for comparison to the hash of the certificate submitted during the SSL handshake.

    * Public Key Pinning
    Public Key Pinning (PKP) requires the extraction of a public key from server's certificate. The stored public key is compared to the server's presented public key. A public key is expected to rotate less frequently than an X509 certificate and is generally favored over certificate pinning.

    An extension of PKP is Subject Public Key Information Pinning (SPKI) includes public key pinning plus additional information for SSL connections. The additional information can include preferred algorithms.

    ## Considerations

    * With pinned certificates whenever a server updates its certificate, the pinned certificates will also need to be updated
    * With pinned public keys the extracted key may be subject to key refresh policies but much less frequently
    * Servers can become unavailable if pinned objects are set and not updated with the rotated identities. This may require a pinning strategy to be developed.
    * The application of this technique within web browser applications has been [deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) by popular web browser developers. They now favor certificate analysis via public certificate transparency logs, and the EXPECT-CT HTTP header."

rdfs:label

  • "Certificate Pinning"

authenticates

d3fend-id

  • "D3-CP"

kb-reference

Usage (18)

comment

  • "A certificate truststore is used to store public certificates used to authenticate clients by the server for an SSL connection."

rdfs:label

  • "Certificate Trust Store"

rdfs:seeAlso

  • http://dbpedia.org/resource/Public_key_certificate
  • https://www.educative.io/edpresso/keystore-vs-truststore

contains

Usage (18)

definition

  • "Comparing client-server request and response payloads to a baseline profile to identify outliers."

kb-article

  • "## How it works
    Profiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation.


    ## Considerations
    * Collecting metrics to establish a profile can be challenging since user behavior can change easily.
    * Employees may work different hours or inconsistent schedules which will cause false positives.
    * Collection of network activity to generate metrics is a computationally intensive process.
    * Users may log into different workstations which may cause false positives."

rdfs:label

  • "Client-server Payload Profiling"

analyzes

d3fend-id

  • "D3-CSPP"

kb-reference

Usage (18)

comment

  • "A client application is software that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network. The term applies to the role that programs or devices play in the client-server model"

isDefinedBy

  • http://dbpedia.org/resource/Client_(computing)

rdfs:label

  • "Client Application"

rdfs:seeAlso

  • "http://attackguidev.mitre.org/techniques/T1554/ "Compromise Client Software Binary""

Usage (18)

comment

  • "The clipboard is a buffer that some operating systems provide for short-term storage and transfer within and between application programs. The clipboard is usually temporary and unnamed, and its contents reside in the computer's RAM. The clipboard is sometimes called the paste buffer. Windows, Linux and macOS support a single clipboard transaction. Each cut or copy overwrites the previous contents. Normally, paste operations copy the contents, leaving the contents available in the clipboard for further pasting."

isDefinedBy

  • http://dbpedia.org/resource/Clipboard_(computing)

rdfs:label

  • "Clipboard"

Usage (18)

altLabel

  • "Cloud Configuration Information"

comment

  • "Information used to configure the services, parameters, and initial settings for a virtual server instance running in a cloud service.."

rdfs:label

  • "Cloud Configuration"

Usage (18)

comment

  • "Cloud instance metadata is configuration information on the instance and users of the instance. This includes such information as security groups, public ip addresses, and private addresses, public keys configured, and event rotating security keys. User data can contain initialization scripts, variables, passwords, and more."

rdfs:label

  • "Cloud Instance Metadata"

rdfs:seeAlso

  • https://isc.sans.edu/forums/diary/Cloud+Metadata+Urls/22046

Usage (18)

comment

  • "Cloud storage is storage held within a computing cloud."

isDefinedBy

  • http://dbpedia.org/resource/Cloud_storage

rdfs:label

  • "Cloud Storage"

rdfs:seeAlso

  • http://dbpedia.org/resource/Cloud_computing

Usage (18)

comment

  • "A user account on a given host is a local user account for a given cloud and specified resources within that cloud."

rdfs:label

  • "Cloud User Account"

Usage (18)

altLabel

  • "Repository"
  • "Version Control Repository"

comment

  • "A code repository is a form of database where code, typically source code, is stored and managed. In revision control systems, a repository is a data structure that stores metadata for a set of files or directory structure. Depending on whether the version control system in use is distributed like (Git or Mercurial) or centralized like (Subversion, CVS, or Perforce), the whole set of information in the repository may be duplicated on every user's system or may be maintained on a single server."

isDefinedBy

  • http://dbpedia.org/resource/Repository_(version_control)

rdfs:label

  • "Code Repository"

contains

Usage (18)

rdfs:label

  • "Collection"

display-order

  • 9

Usage (18)

rdfs:label

  • "Collection Technique"

enables

Usage (18)

comment

  • "In computing, a command is a directive to a computer program acting as an interpreter of some kind, in order to perform a specific task. Most commonly a command is either a directive to some kind of command-line interface, such as a shell, or an event in a graphical user interface triggered by the user selecting an option in a menu."

isDefinedBy

  • http://dbpedia.org/resource/Command_(computing)

rdfs:label

  • "Command"

Usage (18)

rdfs:label

  • "Command And Control"

display-order

  • 10

Usage (18)

rdfs:label

  • "Command and Control Technique"

enables

Usage (18)

comment

  • "A log of commands run in an operating system shell."

rdfs:label

  • "Command History Log"

rdfs:seeAlso

Usage (18)

comment

  • "A command history log file is a file containing a command history, which the history of commands run in an operating system shell."

rdfs:label

  • "Command History Log File"

rdfs:seeAlso

  • http://dbpedia.org/resource/Command_history

contains

Usage (18)

kb-abstract

  • "An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This analytic looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe. It should be used in tandem with CAR-2014-11-003, which detects the accessibility programs in the command line."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2014-11-008: Command Launched from WinLogon - MITRE"

kb-reference-of

  • 'Process Lineage Analysis'

kb-reference-title

  • "CAR-2014-11-008: Command Launched from WinLogon"

Usage (18)

kb-abstract

  • "Before exfiltrating data that an adversary has collected, it is very likely that a compressed archive will be created, so that transfer times are minimized and fewer files are transmitted. There is variety between the tools used to compress data, but the command line usage and context of archiving tools, such as ZIP, RAR, and 7ZIP, should be monitored.

    In addition to looking for RAR or 7z program names, command line usage of 7Zip or RAR can be detected with the flag usage of "\* a \*". This is helpful, as adversaries may change program names."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2013-07-005: Command Line Usage of Archiving Software -"

kb-reference-of

kb-reference-title

  • "CAR-2013-07-005: Command Line Usage of Archiving Software"

Usage (18)

comment

  • "In computing, a compiler is a computer program that translates computer code written in one programming language (the source language) into another language (the target language). The name "compiler" is primarily used for programs that translate source code from a high-level programming language to a lower level language (e.g., assembly language, object code, or machine code) to create an executable program."

isDefinedBy

  • http://dbpedia.org/resource/Compiler

rdfs:label

  • "Compiler"

reads

Usage (18)

comment

  • "A file containing Information used to configure the parameters and initial settings for a compiler."

rdfs:label

  • "Compiler Configuration File"

Usage (18)

comment

  • "Information used to configure a system including software and hardware."

rdfs:label

  • "Configuration Bearing Entity"

Usage (18)

definition

  • "A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system."

kb-article

  • "## How it works
    Decoy honeypots are deployed within the enterprise environment that emulate certain services or portions of an OS to attract attackers.

    ## Considerations
    A connected honeynet provides a tradeoff between emulating certain functionality but not being as sophisticated as an integrated honeynet. The connected honeynet may not provide enough functionality to detect new attack patterns or zero day exploits but could provide enough functionality for specific known vulnerabilities."

rdfs:label

  • "Connected Honeynet"

d3fend-id

  • "D3-CHN"

kb-reference

spoofs

Usage (18)

definition

  • "Analyzing failed connections in a network to detect unauthorized activity."

kb-article

  • "## How it works
    Connection Attempt Analysis in multiple ways.

    ### Monitoring traffic to unallocated IP space
    One approach looks for failed connection attempts against unallocated IP space. First, network traffic is captured to map out the network to identify network assets as well as unallocated IP space. The map is then used to determine if connection attempts are being made to the unallocated IP space.

    ### Monitoring for sequentially transmitted traffic
    Another approach passively inspects network traffic with application protocol analyzers observing network activity characteristics such as volume of packets sent/ received, TCP session attributes, and connection information between hosts (start time, source/destination host, services, etc.). Then using pattern matching to identify traffic which appears to be probing for network hosts.

    ## Considerations

    * Implementations that rely on analysis of unallocated IP address space increase in their complexity with network size and decentralized network infrastructure.
    * Inventory of unallocated IP space should should be continuously updated to mitigate the risk of false positives.
    * IPv6 also introduces challenges including IPv6 traffic bypassing IPv4 specific protection systems (ex. firewalls and IDS) and complexity in managing both IPv6 and IPv4 addresses."

rdfs:label

  • "Connection Attempt Analysis"

synonym

  • "Network Scan Detection"

analyzes

d3fend-id

  • "D3-CAA"

kb-reference

Usage (18)

comment

  • "A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.

    Container images become containers at runtime and in the case of Docker containers - images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging."

isDefinedBy

  • https://www.docker.com/resources/what-container

rdfs:label

  • "Container Image"

Usage (18)

comment

  • "A d3f:Software which manages and coordinates running one or more d3f:ContainerProcess."

rdfs:label

  • "Container Orchestration Software"

Usage (18)

comment

  • "A software layer between d3f:ContainerProcess and d3f:Kernel which often mediates the invocation of d3f:SystemCall"

rdfs:label

  • "Container Runtime"

runs

Usage (18)

rdfs:label

  • "Copy Token"

Usage (18)

comment

  • "System call to create a new file on a file system. Some operating systems implement this functionality as part of their d3f:OpenFile system call."

rdfs:label

  • "Create File"

rdfs:seeAlso

  • https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfile2
  • https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea
  • https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew
  • https://linux.die.net/man/2/creat

creates

Usage (18)

altLabel

  • "Process Spawn"

comment

  • "A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn."

rdfs:label

  • "Create Process"

rdfs:seeAlso

  • http://dbpedia.org/resource/Fork%E2%80%93exec
  • http://dbpedia.org/resource/Spawn_(computing)
  • https://docs.microsoft.com/en-us/windows/win32/procthread/creating-processes

Usage (18)

kb-abstract

  • "Adversaries may use Windows Management Instrumentation (WMI) to move laterally, by launching executables remotely.The analytic CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like wmic.exe /node:"\<hostname\>" process call create "\<command line\>". It is possible to also connect via IP address, in which case the string "\<hostname\>" would instead look like IP Address.

    Although this analytic was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2016-03-002: Create Remote Process via WMIC - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-03-002: Create Remote Process via WMIC"

Usage (18)

comment

  • "Threads are an execution model that exists independently from a language, as well as a parallel execution model. They enable a program to control multiple different flows of work that overlap in time."

rdfs:label

  • "Create Thread"

rdfs:seeAlso

  • http://dbpedia.org/resource/POSIX_Threads
  • https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread

Usage (18)

comment

  • "A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something a person knows (such as a number or PIN), something they have (such as an access badge), something they are (such as a biometric feature), something they do (measurable behavioral patterns) or some combination of these items. This is known as multi-factor authentication. The typical credential is an access card or key-fob, and newer software can also turn users' smartphones into access devices."

isDefinedBy

  • http://dbpedia.org/resource/Access_control#Credential

rdfs:label

  • "Credential"

rdfs:seeAlso

  • http://dbpedia.org/resource/Access_control

authenticates

Usage (18)

rdfs:label

  • "Credential Access"

display-order

  • 6

Usage (18)

rdfs:label

  • "Credential Access Technique"

accesses

enables

Usage (18)

definition

  • "Determining which credentials may have been compromised by analyzing the user logon history of a particular system."

kb-article

  • "## How it works

    #### Memory
    Credentials may be stored in memory for a variety of reasons; on Windows, they may be stored in lsass.exe. Once a credential dumper like mimikatz runs and dumps the memory of lsass.exe, the credentials of every account logged on since boot are potentially compromised.
    When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons.


    #### Hard disk
    Operating System may cache a certain number of credentials onto the hard disk to use as a source of truth if it cannot contact the credential server. In many versions of Microsoft Windows, the 10 most recent are cached by default; this setting can be changed in the Microsoft Management Console's Local Security Policy: ```Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0``` Here we are not concerned with the alteration of the credentials but the fact that they might be read. If the attacker has physical access to the machine they are unlikely to be stopped from reading files on the filesystem.
    "In the event that the domain controller is unavailable Windows will check the last password hashes that has been cached in order to authenticate the user with the system. These password hashes are cached in the following registry setting:
    HKEY_LOCAL_MACHINE\SECURITY\Cache
    Mimikatz can retrieve these hashes if the following command is executed:
    lsadump::cache" [1]

    The Registry Hive, HKEY_LOCAL_MACHINE\SAM, which is stored in the supporting files %systemroot%\System32\Config\{Sam,sam.log,sam.sav}, contains the SAM file.

    DC: This is stored in %systemroot%\ntds\ntds.dit. (https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017)

    Sometimes memory, which contains credentials, could get on the hard disk. Like with hiberfil.sys in Windows. Equivalent on Linux


    In Linux, an attacker could read the /etc/shadow file.

    Reading from /proc directory: mimipenguin, many others.

    ## Considerations
    Effective implementation requires identifying any location that could end up containing credentials, and detecting an method of potential access to a source of credential data.

    1. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5"

rdfs:label

  • "Credential Compromise Scope Analysis"

analyzes

d3fend-id

  • "D3-CCSA"

kb-reference

Usage (18)

kb-abstract

  • "Credential dumpers like Mimikatz can be loaded into memory and from there read data from another processes. This analytic looks for instances where processes are requesting specific permissions to read parts of the LSASS process in order to detect when credential dumping is occurring. One weakness is that all current implementations are "overtuned" to look for common access patterns used by Mimikatz."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2019-04-004: Credential Dumping via Mimikatz - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-04-004: Credential Dumping via Mimikatz"

Usage (18)

kb-abstract

  • "The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking "Create dump file". This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.

    This requires filesystem data to determine whether files have been created."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-08-001: Credential Dumping via Windows Task Manager - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-08-001: Credential Dumping via Windows Task Manager"

Usage (18)

definition

  • "Credential Eviction techniques disable or remove compromised credentials from a computer network."

rdfs:label

  • "Credential Eviction"

d3fend-id

  • "D3-CE"

enables

Usage (18)

definition

  • "Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials."

rdfs:label

  • "Credential Hardening"

d3fend-id

  • "D3-CH"

enables

Usage (18)

comment

  • "Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI)."

isDefinedBy

  • http://dbpedia.org/resource/Credential_Management

rdfs:label

  • "Credential Management System"

Usage (18)

definition

  • "Limiting the transmission of a credential to a scoped set of relying parties."

rdfs:label

  • "Credential Transmission Scoping"

rdfs:seeAlso

  • https://pages.nist.gov/TIG-Stage/sp800-63c.html
  • https://www.w3.org/TR/webauthn-2/

synonym

  • "Phishing Resistant Authentication"

d3fend-id

  • "D3-CTS"

kb-reference

restricts

Usage (18)

comment

  • "A custom archive file is an archive file conforming to a custom format; that is, an archive file that does not conform to a common standard."

rdfs:label

  • "Custom Archive File"

Usage (18)

kb-abstract

  • "Microsoft Windows allows for processes to remotely create threads within other processes of the same privilege level. This functionality is provided via the Windows API CreateRemoteThread. Both Windows and third-party software use this ability for legitimate purposes. For example, the Windows process csrss.exe creates threads in programs to send signals to registered callback routines. Both adversaries and host-based security software use this functionality to inject DLLs, but for very different purposes. An adversary is likely to inject into a program to evade defenses or bypass User Account Control, but a security program might do this to gain increased monitoring of API calls. One of the most common methods of DLL Injection is through the Windows API LoadLibrary.

    Allocate memory in the target program with VirtualAllocEx
    Write the name of the DLL to inject into this program with WriteProcessMemory
    Create a new thread and set its entry point to LoadLibrary using the API CreateRemoteThread.
    This behavior can be detected by looking for thread creations across processes, and resolving the entry point to determine the function name. If the function is LoadLibraryA or LoadLibraryW, then the intent of the remote thread is clearly to inject a DLL. When this is the case, the source process must be examined so that it can be ignored when it is both expected and a trusted process."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2013-10-002: DLL Injection via Load Library - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2013-10-002: DLL Injection via Load Library"

Usage (18)

definition

  • "Permitting only approved domains and their subdomains to be resolved."

rdfs:label

  • "DNS Allowlisting"

synonym

  • "DNS Whitelisting"

blocks

d3fend-id

  • "D3-DNSAL"

kb-reference

Usage (18)

definition

  • "Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type."

kb-article

  • "## How it works
    Rules are implemented that filter DNS queries using criteria such as:
    - Client subnet
    - Type of network protocol used in query
    - Fully qualified domain name (FQDN) of record in the query
    - DNS Server IP address that received the DNS request
    - Type of DNS record being queried
    - Time of day the query is received
    - Size of the response

    For example, a DNS policy can be created for blocking DNS queries for FQDNs that have been identified as unauthorized.

    ## Considerations
    - Implementation considerations for DNS filtering policies to avoid over-blocking or under-blocking domains.
    - Continuous maintenance of unauthorized domain lists is needed to keep up to date with possible site content changes.
    - File sharing or content delivery networks may require other filtering techniques that are more fine-grained (URL blocking).
    - Access to malicious websites or other network resources directly by IP instead of by DNS record, or after alteration of local DNS hosts file, may not result in DNS network traffic."

rdfs:label

  • "DNS Denylisting"

synonym

  • "DNS Blacklisting"

blocks

d3fend-id

  • "D3-DNSDL"

kb-reference

Usage (18)

comment

  • "A Domain Name System (DNS) lookup is a record returned from a DNS resolver after querying a DNS name server. Typically considered an A or AAAA record, where a domain name is resolved to an IPv4 or IPv6 address, respectively."

rdfs:label

  • "DNS Lookup"

rdfs:seeAlso

  • http://dbpedia.org/resource/Domain_Name_System
  • http://dbpedia.org/resource/List_of_DNS_record_types

Usage (18)

comment

  • "RPC network traffic is network traffic related to remote procedure calls between network nodes..This includes only network traffic conforming to a standard RPC protocol; not custom protocols."

rdfs:label

  • "DNS Network Traffic"

Usage (18)

definition

  • "Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host."

kb-article

  • "## How it works
    This technique can be accomplished in a number of ways.

    * One example analytic determines whether or not a domain name was generated with an algorithm. Domain generation algorithms (DGAs) are sometimes used to create a domain name automatically that will resolve to C2 infrastructure, without directly coding the domains in question into the malicious code.
    * Another method analyzes information about domains that have been visited, including whether a domain name is longer than a common length, if a dynamic DNS domain was visited, if a fast-flux domain was visited, and if a recently created domain was visited. These factors are used to develop a score and if that score is over a certain threshold, an alert is generated.
    * Collected malware samples can be executed in a virtual environment to identify network domains that are connected to during execution. The network domains are then generated into signatures to identity bad domains for other hosts.

    This technique does not check for content hosted at the domain.

    ## Considerations

    * DNS produces a large amount of traffic which can be resource-intensive to analyze in real time.
    * If a server is compromised, for example, as part of a watering hole attack, but the DNS information pointing to that server is not altered, this technique would not catch such an incident."

rdfs:label

  • "DNS Traffic Analysis"

synonym

  • "Domain Name Analysis"

analyzes

d3fend-id

  • "D3-DNSTA"

kb-reference

may-contain

Usage (18)

kb-abstract

  • "Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information?

    Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit."

kb-author

  • "Nick Schonning, Daniel Simpson, Marty Hernandez Avedon, Trond B. Krokli, jreeds, jcaparas, Andres Mariano Gorzelany, Tina Burden, Thomas Raya, Justin Hall, justanotheranonymoususer, Liza Poggemeyer, Dani Halfin, imba-tjd (Authors for entire page)"

kb-mitre-analysis

  • "Microsoft"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - Mitigate threats by using Windows 10 security features: Data Execution Prevention - Microsoft"

kb-reference-of

kb-reference-title

  • "Mitigate threats by using Windows 10 security features: Data Execution Prevention"

Usage (18)

comment

  • "A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques."

isDefinedBy

  • http://dbpedia.org/resource/Database

rdfs:label

  • "Database"

rdfs:seeAlso

  • http://dbpedia.org/resource/Database

Usage (18)

comment

  • "A specific query expressed in SQL, SPARQL, or similar language against a database."

rdfs:label

  • "Database Query"

Usage (18)

definition

  • "Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html)."

kb-article

  • "## How it works

    Some implementations use software hooks to intercept function calls related to database query operations. Other implementations might intercept or collect network traffic. The database query string is then extracted and analyzed with various methods, for example:
    * Detecting specific administrative SQL commands
    * Anomalous sequences of commands when compared to a statistical baseline.
    * Anomalous commands for a given user role.

    ## Considerations

    Some capabilities sanitize queries before permitting them to be transmitted to the database. This incurs risks such altering data in an undesired way or breaking application functionality."

rdfs:label

  • "Database Query String Analysis"

analyzes

d3fend-id

  • "D3-DQSA"

kb-reference

Usage (18)

altLabel

  • "Network Database Resource"

comment

  • "A database server is a server which uses a database application that provides database services to other computer programs or to computers, as defined by the client-server model. Database management systems (DBMSs) frequently provide database-server functionality, and some database management systems (such as MySQL) rely exclusively on the client-server model for database access (while others e.g. SQLite are meant for using as an embedded database). For clarification, a database server is simply a server that maintains services related to clients via database applications."

isDefinedBy

  • http://dbpedia.org/resource/Database_server

rdfs:label

  • "Database Server"

contains

Usage (18)

definition

  • "Removing unreachable or "dead code" from compiled source code."

kb-article

  • "## How it works

    Dead code is code that is considered unreachable by normal program execution. Dead code can be created by adding code under a condition that never evaluates to true. Dead code should be removed since this type of code can produce unexpected results, if accidentally or maliciously forced to execute.

    Dead code identification is typically performed by algorithms that implement program flows analysis looking for unreachable code. The dead code is eliminated by instructing compilers to remove the code through compiler flags, i.e., '-fdce' is used for Dead Code Elimination.

    ## Considerations

    Code can also be deemed unreachable for certain run-time conditions. Different deployed systems and environments may contain some code that is unreachable for the given environment. This technique does not consider run-time conditions for unreachable code."

rdfs:label

  • "Dead Code Elimination"

d3fend-id

  • "D3-DCE"

kb-reference

Usage (18)

kb-abstract

  • "The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.

    This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2014-11-003: Debuggers for Accessibility Applications -"

kb-reference-of

  • 'Process Lineage Analysis'

kb-reference-title

  • "CAR-2014-11-003: Debuggers for Accessibility Applications"

Usage (18)

kb-abstract

  • "The Windows Registry location HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options allows for parameters to be set for applications during execution. One feature used by malicious actors is the "Debugger" option. When a key has this value enabled, a Debugging command line can be specified. Windows will launch the Debugging command line, and pass the original command line in as an argument. Adversaries can set a Debugger for Accessibility Applications. The analytic looks for the original command line as an argument to the Debugger. When the strings "sethc.exe", "utilman.exe", "osk.exe", "narrator.exe", and "Magnify.exe" are detected in the arguments, but not as the main executable, it is very likely that a Debugger is set.

    This analytic could depend on the possibility of the known strings used as arguments for other applications used in the day-to-day environment. Although the chance of the string "sethc.exe" being used as an argument for another application is unlikely, it still is a possibility."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2014-11-003: Debuggers for Accessibility Applications - MITRE"

kb-reference-of

  • 'Process Lineage Analysis'

kb-reference-title

  • "CAR-2014-11-003: Debuggers for Accessibility Applications"

Usage (18)

definition

  • "The deceive tactic is used to advertise, entice, and allow potential attackers access to an observed or controlled environment."

rdfs:label

  • "Deceive"

display-order

  • 3

Usage (18)

altLabel

  • "Decoy"
  • "Decoy Object"
  • "Lure"
  • "Trap"

comment

  • "A decoy is an imitation digital artifact in any sense of a digital artifact, object, or phenomenon that is intended to deceive a cyber attacker's surveillance devices or mislead their evaluation. Examples include fake files, accounts, hosts (honeypots), and network segments (honeynets)."

rdfs:label

  • "Decoy Artifact"

rdfs:seeAlso

  • http://dbpedia.org/resource/Deception_technology
  • https://doi.org/10.1007/978-3-319-25133-2
  • https://shield.mitre.org/

may-contain

Usage (18)

definition

  • "A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker."

kb-article

  • "## Technique Overview

    Systems in a decoy environment are typically configured so that some detectable means of communication does not have any legitimate business purpose. Any communication via these means should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems."

rdfs:label

  • "Decoy Environment"

synonym

  • "Honeypot"

d3fend-id

  • "D3-DE"

enables

manages

Usage (18)

definition

  • "A file created for the purposes of deceiving an adversary."

kb-article

  • "## How it works
    The decoy file is made available as a local or network resource. Accesses to the file may be monitored. The files may be configurations, documents, executables, or other file types.


    ## Considerations
    Properties of the file such as cryptographic checksums, file creation date, file modified date, file size, file owner etc may be modified to improve the credibility of the file.

    ## Example
    * A CSV file with decoy user credentials is placed on a system. The system or network is then monitored to detect any accesses to the decoy files."

rdfs:label

  • "Decoy File"

d3fend-id

  • "D3-DF"

kb-reference

spoofs

Usage (18)

definition

  • "Deploying a network resource for the purposes of deceiving an adversary."

kb-article

  • "## How it works
    Decoy network resources are deployed to web application servers, network file shares, or other network based sharing services.

    A "honeypot" may serve a variety of decoy network resources.

    ## Considerations

    * Developing a deployment and placement strategy for the decoy network resource.
    * Personnel responsible for creation of decoy networks should consider the potential for resource exhaustion through denial of service attacks.

    ## Examples
    * Honeypots are typically used to mimic a known system with fake vulnerabilities. This may attract attackers to the honeypot.
    * Decoy accounts are also used to scan for attempted logins. The decoy accounts can provide security analysts with the attacker's potential intents and strategies.
    * Tarpits are used to monitor unallocated IP space for unauthorized network activity."

rdfs:label

  • "Decoy Network Resource"

d3fend-id

  • "D3-DNR"

kb-reference

spoofs

Usage (18)

definition

  • "A Decoy Object is created and deployed for the purposes of deceiving attackers."

kb-article

  • "## Technique Overview
    Decoy objects are typically configured with detectable means of communication but do not have any legitimate business purpose. Any communication via or to these objects should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems."

rdfs:label

  • "Decoy Object"

synonym

  • "Lure"

d3fend-id

  • "D3-DO"

enables

Usage (18)

definition

  • "Establishing a fake online identity to misdirect, deceive, and or interact with adversaries."

kb-article

  • "## How it works
    A false online identity is created for the purposes of interacting with adversaries in a direct or indirect manner. This includes the associated email addresses, social media accounts, and other online communication profiles.

    ## Considerations
    * Include phone numbers and online social profiles as well as automatically or manually responding to contact made to the persona to improve realism.
    * Continuous updating and managing the decoy personas and online activity streams to ensure personas do not become stale and outdated."

rdfs:label

  • "Decoy Persona"

d3fend-id

  • "D3-DP"

kb-reference

spoofs

Usage (18)

definition

  • "Issuing publicly released media to deceive adversaries."

kb-article

  • "## How it works
    Publicly released media includes press release, videos, or other marketing collateral. The media may include URLs, points of contact, or other identifiers to entice interaction from adversaries.

    ## Considerations
    * Information used in decoy public released media must contain enough realism to deceive and provide interaction from adversaries.
    * Continuous development, creation, and distribution of media and identifiers are needed to ensure adversary interaction continues over time.
    * Decoy public releases could be placed on platforms with different degrees of ownership, including entirely enterprise-owned infrastructure, IaaS, and SaaS (including social applications). Platforms that are not entirely enterprise-owned may be more likely to gather information"

rdfs:label

  • "Decoy Public Release"

d3fend-id

  • "D3-DPR"

kb-reference

Usage (18)

definition

  • "An authentication token created for the purposes of deceiving an adversary."

kb-article

  • "## How it works
    Usage of decoy session tokens may be monitored to track attacker behavior or otherwise control the beliefs of the attacker.

    ## Considerations
    * Interaction and activity with the decoy session token must be constantly monitored and analyzed to detect unauthorized activity.
    * Session tokens are typically short-lived and therefore the decoy must be continuously updated to provide the appearance of it being used in the production environment.
    * Automated tools can assist with maintenance and updates by automatically adjusting the decoy session token and environment to mimic the production environment."

rdfs:label

  • "Decoy Session Token"

d3fend-id

  • "D3-DST"

kb-reference

spoofs

Usage (18)

definition

  • "A Credential created for the purpose of deceiving an adversary."

kb-article

  • "## How it works
    A detection analytic is developed to determine when a user uses decoy credentials. Subsequent actions by that user may be monitored or controlled by the defender.

    A credential may be:
    * Domain username and password
    * Local system username and password

    ## Considerations
    * Decoy credentials should be integrated with a larger decoy environment to ensure that when decoy credentials are compromised, the credentials are used to interact with a decoy asset that is being monitored.
    * Continuous maintenance and updates are needed to ensure the legitimacy of the larger decoy environment and specifically the assets that utilize the decoy credentials."

rdfs:label

  • "Decoy User Credential"

d3fend-id

  • "D3-DUC"

kb-reference

spoofs

Usage (18)

comment

  • "Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices."

rdfs:label

  • "Default User Account"

rdfs:seeAlso

  • https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts

Usage (18)

rdfs:label

  • "Defense Evasion"

display-order

  • 5

Usage (18)

rdfs:label

  • "Defense Evasion Technique"

enables

Usage (18)

comment

  • "a plan for attaining a particular goal"

isDefinedBy

  • http://wordnet-rdf.princeton.edu/id/05913746-n

rdfs:label

  • "Defensive Tactic"

Usage (18)

definition

  • "A method which makes a computer system more difficult to attack."

rdfs:label

  • "Defensive Technique"

rdfs:seeAlso

  • https://csrc.nist.gov/glossary/term/security_control

synonym

  • "Countermeasure Technique"
  • "Defensive Capability Feature"
  • "Technical Security Control"

enables

Usage (18)

definition

  • "The detect tactic is used to identify adversary access to or unauthorized activity on computer networks."

rdfs:label

  • "Detect"

display-order

  • 1

Usage (18)

comment

  • "An information-bearing artifact (object) that is, or is encoded to be used with, a digital computer system. This concept is broad to include the literal instances of an artifact, or an implicit summarization of changes to or properties of other artifacts."

rdfs:label

  • "Digital Artifact"

rdfs:seeAlso

  • http://dbpedia.org/resource/Digital_artifactual_value
  • http://dbpedia.org/resource/Virtual_artifact

Usage (18)

comment

  • "In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories. On many computers, directories are known as folders, or drawers to provide some relevancy to a workbench or the traditional office file cabinet."

isDefinedBy

  • http://dbpedia.org/resource/Directory_(computing)

rdfs:label

  • "Directory"

may-contain

Usage (18)

comment

  • "In computing, directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object."

isDefinedBy

  • http://dbpedia.org/resource/Directory_service

rdfs:label

  • "Directory Service"

Usage (18)

rdfs:label

  • "Discovery"

display-order

  • 7

Usage (18)

rdfs:label

  • "Discovery Technique"

enables

Usage (18)

definition

  • "Encrypting a hard disk partition to prevent cleartext access to a file system."

rdfs:label

  • "Disk Encryption"

d3fend-id

  • "D3-DENCR"

encrypts

kb-reference

Usage (18)

altLabel

  • "Display Card"
  • "Graphics Adapter"
  • "Video Card"

comment

  • "A graphics card (also called a display card, video card, display adapter, or graphics adapter) is an expansion card which generates a feed of output images to a display device (such as a computer monitor). Frequently, these are advertised as discrete or dedicated graphics cards, emphasizing the distinction between these and integrated graphics. At the core of both is the graphics processing unit (GPU), which is the main part that does the actual computations, but should not be confused with the video card as a whole, although "GPU" is often used to refer to video cards."

isDefinedBy

  • http://dbpedia.org/resource/Video_card

rdfs:label

  • "Display Adapter"

Usage (18)

comment

  • "A device driver for a display adapter."

rdfs:label

  • "Display Device Driver"

rdfs:seeAlso

  • http://dbpedia.org/resource/Device_driver
  • http://dbpedia.org/resource/Display_adapter

drives

Usage (18)

altLabel

  • "Window Server"

comment

  • "A display server or window server is a program whose primary task is to coordinate the input and output of its clients to and from the rest of the operating system, the hardware, and each other. The display server communicates with its clients over the display server protocol, a communications protocol, which can be network-transparent or simply network-capable. The display server is a key component in any graphical user interface, specifically the windowing system."

isDefinedBy

  • http://dbpedia.org/resource/Display_server

rdfs:label

  • "Display Server"

Usage (18)

comment

  • "A document is a written, drawn, presented or recorded representation of thoughts. An electronic document file is usually used to describe a primarily textual file, along with its structure and design, such as fonts, colors and additional images."

rdfs:label

  • "Document File"

rdfs:seeAlso

  • http://dbpedia.org/resource/Document

may-contain

Usage (18)

definition

  • "Monitoring the existence of or changes to Domain User Accounts."

rdfs:label

  • "Domain Account Monitoring"

d3fend-id

  • "D3-DAM"

kb-reference

monitors

Usage (18)

comment

  • "A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS). Any name registered in the DNS is a domain name.Domain names are used in various networking contexts and application-specific naming and addressing purposes. In general, a domain name represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet. In 2015, 294 million domain names had been registered."

rdfs:label

  • "Domain Name"

Usage (18)

altLabel

  • "Domain Name Registration Data"

comment

  • "A domain registration, or domain name registration data, is the relevant registration data from Internet resources such as domain names, IP addresses, and autonomous system numbers. Registration data is typically retrieved by means of either the Registration Data Access Protocol (RDAP) or its predecessor, the WHOIS protocol."

rdfs:label

  • "Domain Registration"

rdfs:seeAlso

  • http://dbpedia.org/resource/Domain_registration
  • http://dbpedia.org/resource/WHOIS

may-contain

Usage (18)

definition

  • "Restricting inter-domain trust by modifying domain configuration."

rdfs:label

  • "Domain Trust Policy"

d3fend-id

  • "D3-DTP"

kb-reference

restricts

Usage (18)

comment

  • "A domain user account in Microsoft Windows (2000) defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to a domain."

rdfs:label

  • "Domain User Account"

rdfs:seeAlso

  • https://networkencyclopedia.com/global-user-account

Usage (18)

definition

  • "Ensuring the integrity of drivers loaded during initialization of the operating system."

kb-article

  • "## How it works
    This technique can be accomplished in a number of ways:

    * A kernel level security agent installed on a host machine ensures that the driver associated with the agent is first in the initialization order. A dependent DLL associated with the driver is configured to be processed before other dependent DLLs and executes a number of operations to ensure the driver associated with the security agent is initialized first.

    * Kernel components can be signed by a certificate obtained by a third party to verify the source of the component and whether it has been modified. When signed, the component will include a signature block implemented as a hash value of the component header and can also include a certificate chain. The signature and certificate data are typically added before the kernel component is distributed to the public.


    ## Considerations

    * The private keys to sign certificates as reputable companies have been stolen in the past -- in cases such as where certificates from Adobe, Realtek, and JMicron have been used to sign malicious executables. (Source: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/#gref)

    * Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name.

    * It may not be difficult for an attacker to start an organization which can obtain a signed certificate.

    * A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives."

rdfs:label

  • "Driver Load Integrity Checking"

authenticates

d3fend-id

  • "D3-DLIC"

kb-reference

Usage (18)

definition

  • "Executing or opening a file in a synthetic "sandbox" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader."

kb-article

  • "## How it works
    Analyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled.

    ## Considerations
    * Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider.
    * Malware can attempt to determine if it is being debugged, and change its behavior accordingly.
    * For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments.
    * Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment.

    ## Implementations
    * [Cuckoo Sandbox](https://cuckoosandbox.org)"

rdfs:label

  • "Dynamic Analysis"

synonym

  • "Malware Detonation"
  • "Malware Sandbox"

analyzes

d3fend-id

  • "D3-DA"

kb-reference

Usage (18)

comment

  • "An email, or email message, is a document that is sent between computer users across computer networks."

rdfs:label

  • "Email"

rdfs:seeAlso

  • http://dbpedia.org/resource/Email

may-contain

Usage (18)

comment

  • "An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images."

isDefinedBy

  • http://dbpedia.org/resource/Email_attachment

rdfs:label

  • "Email Attachment"

attached-to

Usage (18)

comment

  • "A configuration of an email application which is used to apply logical or data processing functions to data processed by the email application."

rdfs:label

  • "Email Rule"

Usage (18)

definition

  • "Emulating instructions in a file looking for specific patterns."

rdfs:label

  • "Emulated File Analysis"

analyzes

d3fend-id

  • "D3-EFA"

kb-reference

Usage (18)

altLabel

  • "Network Enclave"

comment

  • "Network enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements."

isDefinedBy

  • http://dbpedia.org/resource/Network_enclave

rdfs:label

  • "Enclave"

may-contain

Usage (18)

comment

  • "A credential that is encrypted."

rdfs:label

  • "Encrypted Credential"

Usage (18)

definition

  • "Encrypted encapsulation of routable network traffic."

rdfs:label

  • "Encrypted Tunnels"

d3fend-id

  • "D3-ET"

isolates

kb-reference

Usage (18)

definition

  • "Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised."

kb-article

  • "## How it works
    Endpoints are configured to periodically generate and transmit a secure heartbeat that is delivered on a configured schedule and provides endpoint status information. Status information can include software details (version, configuration, etc), endpoint identification (MAC, IP address, machine ID) or other hardware/software configuration information. Interruption of the heartbeat can signal that the endpoint has been compromised.

    ## Considerations
    * Security of heartbeat messages to ensure message integrity
    * Disappearance of the heartbeat could simply mean that the endpoint is powered off or intentionally disconnected from the network. Therefore other criteria may need to be used to accurately detect endpoint compromise.
    * Attacker presence on the machine may leave the heartbeat intact.
    * An attacker may determine the format of the heartbeat and continue to send it even after the machine is compromised."

rdfs:label

  • "Endpoint Health Beacon"

synonym

  • "Endpoint Health Telemetry"

d3fend-id

  • "D3-EHB"

kb-reference

Usage (18)

rdfs:label

  • "Endpoint Sensor"

Usage (18)

comment

  • "Event logs record events taking place in the execution of a system in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in the case of applications with little user interaction (such as server applications)."

isDefinedBy

  • http://dbpedia.org/resource/Log_file#Event_logs

rdfs:label

  • "Event Log"

Usage (18)

definition

  • "The eviction tactic is used to remove an adversary from a computer network."

rdfs:label

  • "Evict"

display-order

  • 4

Usage (18)

definition

  • "Validates that a referenced exception handler pointer is a valid exception handler."

kb-article

  • "## How It Works
    When a process encounters an exception, it calls an exception handler to deal with the exception. The method by which this exception handler is determined varies by the operating system. The exception handler is called, even if it is the default exception handler to terminate the program and display a message that the program stopped working. In the case that no valid exception handler is found, the program would fail to proceed as normal and could be programmed to terminate.

    In Windows, the address of the exception registration record is stored at the very start of the the Thread Information Block; the GS register points to this structure.

    The exception registration record contains two pointers: a pointer to the next exception registration record should this handler fail to handle the exception, and a pointer to the handler.

    A buffer overflow can overwrite the saved return pointer with an invalid location to execute memory; this often triggers the exception handler chain, which could also be corrupted by the buffer overflow. Although Process Exception Handler Validation does not make sure that the exception handler pointer or the code at the exception handler was unaltered, or that the exception handler code is secure, this technique does ensure that the pointer is at least an exception handler that could be called by the program.

    With Process Exception Handler Validation, before the handler is called, it checks the exception handler against a source of valid exception handlers. If the requested handler is not in this list, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable.

    ### Runtime valid exception handler source generation
    The source of valid exception handlers could be generated at runtime, with the risk of the information that is used to determine the validity of exception handlers being compromised.

    ### Compile-time
    The source of valid exception handlers could also be generated at compile time or as a binary patch. Given the source code, it would be rather straightforward to find the exceptions, as they are pointed in the catch statement of a try-catch clause and the compiler must already generate the code to call exceptions from this.

    ## Considerations
    If the program file can be altered by the attacker, then the security could be bypassed by replacing it with any desired program, without even bypassing SEH.

    If the attacker was already able to overwrite the code for a valid exception handler via other functionality in the program, this defense would not prevent arbitrary code execution.
    If an exception handler recognized as valid is vulnerable, it would be executed anyway.

    SafeSEH might be applied only to some executable files or modules, allowing an attacker to call any piece of code as an exception handler in the unprotected modules."

rdfs:label

  • "Exception Handler Pointer Validation"

synonym

  • "Exception Handler Validation"

d3fend-id

  • "D3-EHPV"

kb-reference

validates

Usage (18)

definition

  • "Using a digital signature to authenticate a file before opening."

kb-article

  • "## How it works

    This technique is generic and there are numerous ways to compute and authenticate digital signatures.
    A digital certificate is generated from a private/public key pair issued by a certificate authority (CA). A hash of the file is encrypted using the private key. When the file is downloaded by another user, the user's system uses the public key to decrypt the hash and a new hash is created of the downloaded file. The hash decrypted by the public key is compared to the new hash and if there is a mismatch, further techniques, such as file deletion, file quarantine, or **Executable Blacklisting** may be invoked.

    This technique may be invoked when deciding whether to execute a file.

    ## Considerations

    Organizations which download or create high volumes of software make management complex, in particular engineering or scientific organizations."

rdfs:label

  • "Executable Allowlisting"

synonym

  • "File Signature Authentication"

blocks

d3fend-id

  • "D3-EAL"

kb-reference

Usage (18)

comment

  • "An executable binary contains machine code instructions for a physical CPU. D3FEND also considers byte code for a virtual machine to be binary code. This is in contrast to executable scripts written in a scripting language."

rdfs:label

  • "Executable Binary"

rdfs:seeAlso

  • http://dbpedia.org/resource/Executable

contains

may-interpret

Usage (18)

definition

  • "Blocking the execution of files on a host in accordance with defined application policy rules."

kb-article

  • "## How it works

    #### Criteria

    A policy-enforcing application can register an application for denylisting based on conditions including the following:

    * File attributes
    * file name
    * file path
    * file hash
    * file publisher, as obtained from the digital signature
    * permissions of the file
    * File malware scan (eg. Windows SmartScreen)
    * User-File combination

    This may be done to prevent execution of applications which are:

    * an old version with known vulnerabilities
    * without a valid license, which could cause legal issues
    * in a directory that is accessible to low-privileged users, that could be accessed by a malware dropper
    * known trojan horse programs
    * too open in their permissions, possibly set to run as a user other than the originator or allowing execution when they should not be
    * a match to the hash of other known malware
    * are detected as undesirable based on a file scan runtime behavior

    System administrators will customize the rules for the given environment.

    #### Backend

    The policy-enforcing program may work by running in kernel mode, and [intercepting] [system calls which execute a process].

    ## Considerations

    * If denylisting is done by filename, filepath, or hash, these mechanisms may be a worthy first line of defense and detection, but could still be evaded by an attacker.
    * Continuous management is needed to keep the denylist up to date, whether it is based on hash, publisher, behavior, or any other digital artifact.
    * Although denylists based on attributes such as file path and virus scan could defend against some threats which they have not been explicitly coded to block, denylists may not provide protection from new, unknown, or zero day attacks.


    ## Examples
    On a Windows machine the Windows Defender Application Control (WDAC) policy enforcement is run in the kernel and allows for restricting applications."

rdfs:label

  • "Executable Denylisting"

synonym

  • "Executable Blacklisting"

blocks

d3fend-id

  • "D3-EDL"

kb-reference

Usage (18)

altLabel

  • "Executable"

comment

  • "In computing, executable code or an executable file or executable program, sometimes simply an executable, causes a computer "to perform indicated tasks according to encoded instructions," as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU. However, in a more general sense, a file containing instructions (such as bytecode) for a software interpreter may also be considered executable; even a scripting language source file may therefore be considered executable in this sense. The exact interpretation depends upon the use; while the term often refers only to machine code files, in the context of protection against computer viruses all files which cause potentially hazardous instruction"

isDefinedBy

  • http://dbpedia.org/resource/Executable

rdfs:label

  • "Executable File"

Usage (18)

comment

  • "An executable script is written in a scripting language and interpreted at run time. This is in contrast with an executable binary, which contains machine code instructions for a physical CPU or byte code for a virtual machine."

rdfs:label

  • "Executable Script"

rdfs:seeAlso

  • http://dbpedia.org/resource/Executable

Usage (18)

rdfs:label

  • "Execution"

display-order

  • 2

Usage (18)

definition

  • "Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files."

rdfs:label

  • "Execution Isolation"

d3fend-id

  • "D3-EI"

enables

Usage (18)

rdfs:label

  • "Execution Technique"

enables

Usage (18)

kb-abstract

  • "In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2013-05-004: Execution with AT -"

kb-reference-of

kb-reference-title

  • "CAR-2013-05-004: Execution with AT"

Usage (18)

kb-abstract

  • "The Windows built-in tool schtasks.exe provides the creation, modification, and running of scheduled tasks on a local or remote computer. It is provided as a more flexible alternative to at.exe, described in CAR-2013-05-004. Although used by adversaries, the tool is also legitimately used by administrators, scripts, and software configurations. The scheduled tasks tool can be used to gain Persistence and can be used in combination with a Lateral Movement technique to remotely gain execution. Additionally, the command has parameters to specify the user and password responsible for creating the task, as well as the user and password combination that the task will run as. The /s flag will cause a task to run as the SYSTEM user, usually indicating privilege escalation."

kb-author

  • ""

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2013-08-001: Execution with schtasks -"

kb-reference-of

kb-reference-title

  • "CAR-2013-08-001: Execution with schtasks"

Usage (18)

rdfs:label

  • "Exfiltration"

display-order

  • 11

Usage (18)

rdfs:label

  • "Exfiltration Technique"

enables

Usage (18)

rdfs:label

  • "FQDN Domain Name"

Usage (18)

comment

  • "A file maintained in computer-readable form."

rdfs:label

  • "File"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/06521201-n

contains

may-contain

Usage (18)

definition

  • "Analyzing the way a process accesses local files to identify unauthorized activity."

kb-article

  • "## How it works
    File modifying malware such as wipers and ransomware are detected by identifying file access patterns that are associated with a malicious process. Examples of file access patterns include accessing a large number of files, accessing multiple file types, files being accessed located in multiple locations in a directory, and copying a file and encrypting the contents of that file into a copy.

    ## Considerations
    Certain file access actions may not be statistically different from authorized activity."

rdfs:label

  • "File Access Pattern Analysis"

analyzes

d3fend-id

  • "D3-FAPA"

kb-reference

Usage (18)

definition

  • "File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc."

kb-article

  • "## Technique Overview
    Some techniques use file signatures or file metadata to compare against historical collections of malware. Files may also be compared against a source of ground truth such as cryptographic signatures. Examining files for potential malware using pattern matching against file contents/file behavior. Binary code may be dissembled and analyzed for predictive malware behavior, such as API call signatures. Analysis might occur within a protected environment such as a sandbox or live system."

rdfs:label

  • "File Analysis"

analyzes

d3fend-id

  • "D3-FA"

enables

Usage (18)

definition

  • "Identifying and extracting files from network application protocols through the use of network stream reassembly software."

kb-article

  • "## How it works
    Protocol stream reassembly software recreates a directional byte stream by analyzing captured network packets. Once the stream is reassembled pattern matching is applied to determine if it contains a file of interest. Files of interest range from executable, archive, or document file formats. Once the file is captured, it is then processed with standard File Analysis Techniques. Example network protocols include HTTP, SMTP, FTP, HTTP/2, and TLS/HTTP/Dropbox.

    ## Considerations
    - This is an error prone process due to the intricacies of network protocols and network packet capture. For example reassembly may be done in real-time or streaming fashion, or packets may be written to disk, then bulk processed. The packets may arrive out of order, with fragmentation, duplicates, or re-transmissions. The reassembly software must compensate for the imperfect packet stream in order to recreate the well formed file which was transmitted.
    - File type identification can be a difficult process which can be exploited by adversaries."

rdfs:label

  • "File Carving"

analyzes

d3fend-id

  • "D3-FC"

kb-reference

Usage (18)

definition

  • "Employing a pattern matching rule language to analyze files."

kb-article

  • "## How it works
    Rules, often called signatures, are used for both generic and targeted malware detection. The rules are usually expressed in a domain specific language (DSL), then deployed to software that scans files for matches. The rules are developed and broadly distributed by commercial vendors, or they are developed and deployed by enterprise security teams to address highly targeted or custom malware. Conceptually, there are public and private rule sets. Both leverage the same technology, but they are intended to detect different types of cyber adversaries.

    ## Considerations
    * Patterns expressed in the DSLs range in their complexity. Some scanning engines support file parsing and normalization for high fidelity matching, others support only simple regular expression matching against raw file data. Engineers must make a trade-off in terms of:
    * The fidelity of the matching capabilities in order to balance high recall with avoiding false positives,
    * The computational load for scanning, and
    * The resilience of the engine to deal with adversarial content presented in different forms-- content which in some cases is designed to exploit or defeat the scanning engines.
    * Signature libraries can become large over time and impact scanning performance.
    * Some vendors who sell signatures have to delete old signatures over time.
    * Simple signatures against raw content cannot match against encoded, encrypted, or sufficiently obfuscated content.

    ## Implementations
    * YARA
    * ClamAV"

rdfs:label

  • "File Content Rules"

synonym

  • "File Content Signatures"
  • "File Signatures"

d3fend-id

  • "D3-FCR"

kb-reference

Usage (18)

definition

  • "Analyzing the properties of file create system call invocations."

rdfs:label

  • "File Creation Analysis"

analyzes

d3fend-id

  • "D3-FCA"

kb-reference

Usage (18)

definition

  • "Encrypting a file using a cryptographic key."

kb-article

  • "## How it Works
    Files are encrypted using either a single key for both encryption and decryption or separate keys. Single key encryption is symmetric encryption and using two key distinct keys is asymmetric encryption.

    ### Symmetric Cryptography
    Symmetric encryption uses the same cryptographic key for both the encryption and decryption a file. Managing keys at scale sometimes uses asymmetric key exchange protocols such as Diffie-Hellman can be used to share the symmetric cryptographic key with the others.

    ### Asymmetric Cryptography
    Asymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. Files are encrypted using the public key and decrypted using their private key. Asymmetric encryption is typically slower than symmetric encryption and not widely used for large file encryption, but is popular for key wrapping, key exchanges, and digital signatures.

    ## Considerations
    - Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted.
    - Secure transfer of private keys between multiple devices."

rdfs:label

  • "File Encryption"

d3fend-id

  • "D3-FE"

encrypts

kb-reference

Usage (18)

definition

  • "Employing file hash comparisons to detect known malware."

kb-article

  • "## How it works
    This technique requires a list of hashes to compare a file against.

    ## Considerations
    Performance on large files or very large numbers of files."

rdfs:label

  • "File Hashing"

d3fend-id

  • "D3-FH"

kb-reference

Usage (18)

altLabel

  • "File Part"

comment

  • "A file section is one of the portions of a file in which the file is regarded as divided and where together the file sections constitute the whole file."

rdfs:label

  • "File Section"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/05876035-n

Usage (18)

comment

  • "In computing, a file system or filesystem is used to control how data is stored and retrieved. Without a file system, information placed in a storage medium would be one large body of data with no way to tell where one piece of information stops and the next begins. By separating the data into pieces and giving each piece a name, the information is easily isolated and identified. Taking its name from the way paper-based information systems are named, each group of data is called a "file". The structure and logic rules used to manage the groups of information and their names is called a "file system"."

isDefinedBy

  • http://dbpedia.org/resource/File_system

rdfs:label

  • "File System"

contains

Usage (18)

comment

  • "A file system link associates a name with a file on a file system. Most generally, this may be a direct reference (a hard link) or an indirect one (a soft link)."

isDefinedBy

  • http://dbpedia.org/resource/Hard_link

rdfs:label

  • "File System Link"

Usage (18)

comment

  • "Metadata about the files and directories in a file system. For example file name, file length, time modified, group and user ids, and other file attributes."

rdfs:label

  • "File System Metadata"

rdfs:seeAlso

  • http://dbpedia.org/resource/File_system#Metadata

Usage (18)

comment

  • "File transfer network traffic is network traffic related to file transfers between network nodes..This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols."

rdfs:label

  • "File Transfer Network Traffic"

Usage (18)

comment

  • "In electronic systems and computing, firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. Typical examples of devices containing firmware are embedded systems (such as traffic lights, consumer appliances, remote controls and digital watches), computers, computer peripherals, mobile phones, and digital cameras. The firmware contained in these devices provides the low-level control program for the device."

isDefinedBy

  • http://dbpedia.org/resource/Firmware

rdfs:label

  • "Firmware"

Usage (18)

definition

  • "Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity."

kb-article

  • "## How it works
    Firmware behavior analysis provides protections by ensuring that installed firmware has not been tampered with or modified. Firmware analysis applies to mutable firmware and immutable read-only memory (ROMs).

    Firmware in deployed network devices is typically not analyzed and monitored for vulnerabilities and thus is subject to potential attacks. This technique makes use of known and measured behavioral attributes, including timing attributes, of analyzed firmware on deployed devices.

    A behavioral method that employs known timing measurements may use the timing results from a challenge and response protocol to detect the presence of malware in embedded firmware. Firmware device timing measurements are made, specific to the installed device, and are used in the verifying function.

    The original firmware image is modified by injecting a monitoring software component into the embedded firmware code. The injected software components will allow for a software root of trust, the challenge and response protocol, to be implement in the firmware.

    A challenge-response is issued and includes a nonce so that replays are not allowed. The firmware will calculate a checksum over all of memory, including the nonce, and return the result. The verification system will compare the computed checksum and the time it took for the computation of the checksum to determine if the firmware has been modified.

    ## Considerations
    * The firmware code will need to be modified to include the behavioral monitoring functionality.
    * This technique is sensitive to the device the embedded firmware is hosted on and it is expected that the devices and firmware will need to be profiled and analyzed to determine timing estimation.
    * This technique is not expected to be one hundred percent correct as you would expect in a hardware root of trust solution and may require some tuning."

rdfs:label

  • "Firmware Behavior Analysis"

synonym

  • "Firmware Timing Analysis"

analyzes

d3fend-id

  • "D3-FBA"

kb-reference

Usage (18)

definition

  • "Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data."

kb-article

  • "## How it works
    Firmware in deployed network devices is typically not monitored for malicious changes. This technique provides a method to embed a software security component into the deployed firmware which provides a near real-time monitoring hook. The exception handling code, in the firmware, is typically used to expose any detected vulnerabilities.

    The injected software components provide a feature similar to intrusion detection systems for the firmware by detecting unauthorized modifications of the embedded firmware. The integrity of static code and firmware data are monitored continuously in the hosted devices. Comparisons are made to monitored elements like firmware memory addresses and data segments. Memory pages are scanned and if a modification is detected the software component may lock the page. This will protect subsequent attempted modifications to the firmware. The software component may utilize the exception handling code and thus be able to disclose the exact address of the modified memory.

    The injected software components are inserted during the firmware imaging process. The injected software is assumed to have knowledge of both the embedded code and the current execution state of the host program. The injected software will monitor and alert, in near real-time, on potential suspicious activity. The injected code is run alongside of the embedded code in the host. The injected software operates as an independent entity and is not dependent on the host software.

    Finally, this technique may implement other countermeasure techniques as part of their analytical processes. These should be identified by referencing other countermeasure techniques directly as necessary.

    ## Considerations
    * The firmware code will need to be modified and re-hosted on the device.
    * Exposing monitoring hooks to the injected code may introduce additional risk."

rdfs:label

  • "Firmware Embedded Monitoring Code"

analyzes

d3fend-id

  • "D3-FEMC"

kb-reference

Usage (18)

definition

  • "Cryptographically verifying firmware integrity."

kb-article

  • "## How it works
    Cryptographic hash values are computed for system and peripheral firmware. The hash values are compared against precomputed hash values for the identified firmware. A hash value mismatch may indicate that the firmware may have been tampered with or updated with a non-current release indicating a misconfiguration for the system.

    ## Considerations
    * Requires cryptographically computed hash values of firmware
    * Requires storage of precomputed firmware hash values"

rdfs:label

  • "Firmware Verification"

d3fend-id

  • "D3-FV"

kb-reference

verifies

Usage (18)

definition

  • "Blocking a lookup based on the query's domain name value."

kb-article

  • "## How it works

    Policies are created that filter DNS queries using fully qualified domain name (FQDN) of record in the query. A DNS policy can be created for blocking DNS queries from FQDNs that have been identified as unauthorized.

    ## Considerations

    Continuous maintenance of unauthorized domain lists is needed to keep up to date as updates occur."

rdfs:label

  • "Forward Resolution Domain Denylisting"

synonym

  • "Forward Resolution Domain Blacklisting"

blocks

d3fend-id

  • "D3-FRDDL"

kb-reference

Usage (18)

definition

  • "Blocking a DNS lookup's answer's IP address value."

kb-article

  • "## How it works

    This technique prevents a client from learning IP addresses deemed to be potentially malicious, which would have been delivered via forward resolution responses.

    Responses to forward resolution requests (that is, requests where a domain is sent and IP(s) are returned) are collected, and the IP address(es) included as a response are examined. If the IP address(es) are in a range included in the blacklist, then the response is dropped and not forwarded to the client.

    The DNS lookup can be blocked by either dropping the network traffic with an inline device, or modifying the value of the response sent by the DNS server. To transparently prevent client applications from hanging on a request, it is common practice to replace malicious values with addresses in the range 127.0.0.0/8 or the address of a honeypot maintained by the network administrators.

    ## Considerations

    * This technique does not prevent the client from contacting the blacklisted IP, only from learning about this IP address via a nameserver lookup request.
    * DNS Response traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS answer IP address value(s).
    * DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP.
    * Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS responses. These protocols have often been enabled in browser settings transparently after a browser update, with DNS requests proxied over one of these cryptographic protocols through a specified host.
    * This technique must be implemented logically between the application that receives the response and the server which sent the response.
    * DNS responses sent in an encrypted manner, such as those using DoH or DoT, will require interception of the TLS connections in order to determine the IP address(es) in the response.
    * Replacing the response is not effective in the case that the nameserver uses a technique to provide integrity of its responses, such as DNSSEC for DNS responses."

rdfs:label

  • "Forward Resolution IP Denylisting"

synonym

  • "Forward Resolution IP Blacklisting"

blocks

d3fend-id

  • "D3-FRIDL"

kb-reference

Usage (18)

rdfs:label

  • "GNU GCC StackGuard"

Usage (18)

kb-abstract

  • "Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic. Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2019-04-002: Generic Regsvr32 - MITRE"

kb-reference-of

  • 'Process Lineage Analysis'

kb-reference-title

  • "CAR-2019-04-002: Generic Regsvr32"

Usage (18)

comment

  • "A system call that gets the system time. For POSIX.1 systems, time() invokes a call to get the system time."

rdfs:label

  • "Get System Time"

rdfs:seeAlso

  • https://man7.org/linux/man-pages/man2/time.2.html

Usage (18)

comment

  • "A type of user account in Microsoft Windows (NT) that has a domain-wide scope.defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to the domain."

rdfs:label

  • "Global User Account"

rdfs:seeAlso

  • https://networkencyclopedia.com/global-user-account

Usage (18)

altLabel

  • "GUI"

comment

  • "A graphical user interface (GUI) is a type of user interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation, instead of text-based user interfaces, typed command labels or text navigation. GUIs were introduced in reaction to the perceived steep learning curve of command-line interfaces (CLIs), which require commands to be typed on a computer keyboard."

isDefinedBy

  • http://dbpedia.org/resource/Graphical_user_interface

rdfs:label

  • "Graphical User Interface"

Usage (18)

comment

  • "Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy ("LGPO" or "LocalGPO") also allows Group Policy Object management on standalone and non-domain computers."

rdfs:label

  • "Group Policy"

Usage (18)

rdfs:label

  • "HTTPS URL"

Usage (18)

rdfs:label

  • "HTTP URL"

Usage (18)

definition

  • "The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational."

rdfs:label

  • "Harden"

display-order

  • 0

Usage (18)

definition

  • "Preventing one process from writing to the memory space of another process through hardware based address manager implementations."

kb-article

  • "## How it works
    Process isolation, in this context, is address space separation controlled by a security function that limits the communication between processes so that one process cannot directly modify the executing code of another process. For example with virtual address space:

    * Process A address space is different from process B address space, which prevents process A from writing to process B

    Hardware process isolation is commonly implemented through Direct Memory Access (DMA) which collaborates with a Memory Management Unit (MMU), or Input-Output Memory Management Unit (IOMMU). These hardware controls are deployed directly on processors to aid hosts or enclaves in process isolation.

    * DMA - Direct memory access allows memory access to occur independently of the program currently run by the microprocessor. DMA allows for I/O devices to directly read from and write to memory, or it can be used to efficiently copy blocks of memory. During DMA transfers, the microprocessor can execute an unrelated program.
    * MMU - A memory management unit acts as an access control and is responsible for performing the translation of virtual memory addresses to physical memory addresses. The MMU allocates each process its own virtual memory space.
    * IOMMU - An input-output memory management unit is used to allocate each I/O device its own virtual address space to the underlying physical addresses. IOMMU allows devices that do not support long memory addresses to address the entire memory space.

    ## Considerations
    * Private hosts may be vulnerable to DMA attack if they have a PCI or PCI Express port that connects attached devices directly to physical address space.

    ## Implementations:
    * Intel Virtualization Technology for Directed I/O (Intel VT-d)
    * Firecracker"

rdfs:label

  • "Hardware-based Process Isolation"

synonym

  • "Virtualization"

d3fend-id

  • "D3-HBPI"

isolates

kb-reference

Usage (18)

comment

  • "Hardware devices are the physical artifacts that constitute a network or computer system. Hardware devices are the physical parts or components of a computer, such as the monitor, keyboard, computer data storage, hard disk drive (HDD), graphic cards, sound cards, memory (RAM), motherboard, and so on, all of which are tangible physical objects. By contrast, software is instructions that can be stored and run by hardware. Hardware is directed by the software to execute any command or instruction. A combination of hardware and software forms a usable computing system."

isDefinedBy

  • http://dbpedia.org/resource/Computer_hardware

rdfs:label

  • "Hardware Device"

Usage (18)

altLabel

  • "Device Driver"

comment

  • "In computing, a device driver (commonly referred to simply as a driver) is a computer program that operates or controls a particular type of device that is attached to a computer. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details of the hardware being used. A driver communicates with the device through the computer bus or communications subsystem to which the hardware connects. When a calling program invokes a routine in the driver, the driver issues commands to the device. Once the device sends data back to the driver, the driver may invoke routines in the original calling program. Drivers are hardware dependent and operating-system-specific. They usually provide the interrupt handling required for any necessary asynchronous time-dependent hardware interface."

isDefinedBy

  • http://dbpedia.org/resource/Device_driver

rdfs:label

  • "Hardware Driver"

drives

Usage (18)

definition

  • "Blocking the resolution of any subdomain of a specified domain name."

kb-article

  • "## How it works
    This technique is used to block DNS queries from related domains and subdomains that are unauthorized.

    Hierarchical domain blacklisting considers the blacklisting of second level domains and additional sub-domains and specific hosts for a given query value. A denylist is maintained that contains DNS names and corresponding subdomains, including wildcards, that should be blocked for a given lookup.

    ## Considerations
    * The denylist of domain names will have to be maintained and will need to be kept up to date
    * Other domains that resolve to the domain of interest for blocking (CNAME, etc).
    * Denylists should have identified maintenance cycles to ensure lists are not stale."

rdfs:label

  • "Hierarchical Domain Denylisting"

synonym

  • "Hierarchical Domain Blacklisting"

d3fend-id

  • "D3-HDDL"

kb-reference

Usage (18)

definition

  • "Blocking DNS queries that are deceptively similar to legitimate domain names."

kb-article

  • "## How it works

    Homoglyph domain blacklisting considers the domain and subdomain structure of a lookup and compares the named components to blacklisted named components. The blacklisted named components are typically crafted modifications of known good domains, e.g., gooogle.com versus google.com. The blacklisted domains typically resemble trusted domains, but have been altered slightly to deceive users.

    The blacklisted named components also include consideration for fonts or Unicode characters that can make certain characters appear very similar (zero vs capital O and the letter l vs the number one). The blacklisted domains under certain fonts will appear to be a trusted domain.

    ## Considerations
    * Maintaining the currency of the list can be a challenge especially with newly registered domain entries.
    * Blacklists should have identified maintenance cycles to ensure lists are not stale."

rdfs:label

  • "Homoglyph Denylisting"

synonym

  • "Homoglyph Blacklisting"

d3fend-id

  • "D3-HDL"

kb-reference

Usage (18)

definition

  • "Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user."

kb-article

  • "## How it works
    A homoglyph, in this context, is a deceptive string or word which looks like a trusted word, but is composed of different characters, for example: goooogle.com versus google.com. This is commonly found in phishing and typo squatting attacks where a human exploiting through a social engineering campaign.

    ## Considerations
    * In very large environments processing DNS queries can be computationally expensive due to the amount of traffic that is generated
    * Legitimate companies and products use non-dictionary words in their names that could result in many false positives"

rdfs:label

  • "Homoglyph Detection"

analyzes

d3fend-id

  • "D3-HD"

kb-reference

Usage (18)

altLabel

  • "Network Host"

comment

  • "A host is a computer or other device, typically connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address. Network hosts that participate in applications that use the client-server model of computing, are classified as server or client systems. Network hosts may also function as nodes in peer-to-peer applications, in which all nodes share and consume resources in an equipotent manner."

isDefinedBy

  • http://dbpedia.org/resource/Host_(network)

rdfs:label

  • "Host"

contains

runs

Usage (18)

comment

  • "A software firewall which controls network inbound and outbound network traffic to the host computer."

rdfs:label

  • "Host-based Firewall"

Usage (18)

kb-abstract

  • "When entering on a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.

    Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically."

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2016-03-001: Host Discovery Commands - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2016-03-001: Host Discovery Commands"

Usage (18)

altLabel

  • "Nodename"

comment

  • "In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured."

isDefinedBy

  • http://dbpedia.org/resource/Hostname

rdfs:label

  • "Hostname"

Usage (18)

definition

  • "Limiting access to computer input/output (IO) ports to restrict unauthorized devices."

kb-article

  • "## How It works

    Software-based restriction uses agent software installed on a computer system. The agent software monitors all IO port system traffic. The agent software is configurable to limit the use of certain devices connected to IO ports. The restriction software can also be configured to limit the access to files and applications on external storage devices connected to IO ports.

    Hardware-based restriction can also be employed to limit access to IO ports. For example, a hardware USB filter device that is placed between the host system and the external devices can filter IO port connections based on configurable rules. When new devices are connected to the USB filter the type of device is determined. Using an allow list a connection determination is made for the device.

    Some implementations detect when a device is connected in order to authorize the connection against a list of approved devices, in some cases by device type. For example, if the device is determined to be a storage device, then the contained files and executables are examined to more accurately identify the device type.

    Types of restrictions that may be applied:
    - Device connection
    - Device command filtering
    - Device file system read or write restrictions

    ## Considerations
    * Agent software will need to be installed on host systems
    * Configurations for allow/deny for devices and files will need to be maintained"

rdfs:label

  • "IO Port Restriction"

d3fend-id

  • "D3-IOPR"

filters

kb-reference

Usage (18)

definition

  • "Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity."

kb-article

  • "## How it works
    Inter process communication enables applications or threads to share data. This can involve one or more computers. Monitoring IPC in your environment can reveal abnormal or malicious activity.
    IPC can occur within a single computer or between multiple computers remotely through network protocols. Thus there are multiple ways to collect and monitor these exchanges between processes. A network protocol analyzer may monitor and parse SMB network traffic to record system activity. A host based monitoring agent may monitor IPC activity contained within a single host to look for deviations from standard usages.

    ### Examples
    * SMB
    * Zeromq
    * Java RMI API

    ## Considerations
    * IPC can generate substantial amounts of data, and it may not be feasible to collect all of it.
    * IPC may occur over loopback interfaces or direct memory access granted by the operating system."

rdfs:label

  • "IPC Traffic Analysis"

synonym

  • "IPC Analysis"

analyzes

d3fend-id

  • "D3-IPCTA"

kb-reference

Usage (18)

altLabel

  • "ID"

comment

  • "An identifier is a name that identifies (that is, labels the identity of) either a unique object or a unique class of objects, where the "object" or class may be an idea, physical [countable] object (or class thereof), or physical [noncountable] substance (or class thereof). The abbreviation ID often refers to identity, identification (the process of identifying), or an identifier (that is, an instance of identification). An identifier may be a word, number, letter, symbol, or any combination of those."

isDefinedBy

  • http://dbpedia.org/resource/Identifier

rdfs:label

  • "Identifier"

Usage (18)

definition

  • "Analyzing identifier artifacts such as IP address, domain names, or URL(I)s."

rdfs:label

  • "Identifier Analysis"

d3fend-id

  • "D3-ID"

enables

Usage (18)

comment

  • "An image code segment, also known as a text segment or simply as text, is a portion of an object file that contains executable instructions. The term "segment" comes from the memory segment, which is a historical approach to memory management that has been succeeded by paging. When a program is stored in an object file, the code segment is a part of this file; when the loader places a program into memory so that it may be executed, various memory regions are allocated (in particular, as pages), corresponding to both the segments in the object files and to segments only needed at run time. For example, the code segment of an object file is loaded into a corresponding code segment in memory."

rdfs:label

  • "Image Code Segment"

rdfs:seeAlso

  • http://dbpedia.org/resource/Code_segment
  • "Process Code Segment"

contains

Usage (18)

comment

  • "An image data segment (often denoted .data) is a portion of an object file that contains initialized static variables, that is, global variables and static local variables. The size of this segment is determined by the size of the values in the program's source code, and does not change at run time. This segmenting of the memory space into discrete blocks with specific tasks carried over into the programming languages of the day and the concept is still widely in use within modern programming languages."

rdfs:label

  • "Image Data Segment"

rdfs:seeAlso

  • http://dbpedia.org/resource/Data_segment
  • "Process Data Segment"

Usage (18)

rdfs:label

  • "Impact"

display-order

  • 12

Usage (18)

rdfs:label

  • "Impact Technique"

enables

Usage (18)

rdfs:label

  • "Impersonate User"

Usage (18)

comment

  • "A password store held in memory."

rdfs:label

  • "In-memory Password Store"

Usage (18)

comment

  • "Inbound internet DNS response traffic is DNS response traffic from a host outside a given network initiated on an incoming connection to a host inside that network."

rdfs:label

  • "Inbound Internet DNS Response Traffic"

Usage (18)

comment

  • "Inbound internet mail traffic is network traffic that is: (a) coming from a host outside a given network via an incoming connection to a host inside that same network, and (b) using a standard protocol for email."

rdfs:label

  • "Inbound Internet Mail Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

Usage (18)

comment

  • "Inbound internet traffic is network traffic from a host outside a given network initiated on an incoming connection to a host inside that network."

rdfs:label

  • "Inbound Internet Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

produces

Usage (18)

comment

  • "Inbound traffic is network traffic originating from another host (client), to the host of interest (server)."

rdfs:label

  • "Inbound Network Traffic"

Usage (18)

definition

  • "Analyzing inbound network session or connection attempt volume."

kb-article

  • "## How it works
    Network appliances are configured to alert on certain packets that typically are involved in DoS attacks. Typical packets include ICMP packets and SYN requests that are commonly used to flood networks. A sampling period is used to define a time window in which collected counts of the identified packets can be measured. If the collected number of packets exceeds a predefined limit then an alert is generated.

    ## Considerations
    Scalability as volume of attacks increase; single servers may not have the memory and storage resources to handle high volumes of network traffic."

rdfs:label

  • "Inbound Session Volume Analysis"

analyzes

d3fend-id

  • "D3-ISVA"

kb-reference

Usage (18)

definition

  • "Restricting network traffic originating from untrusted networks destined towards a private host or enclave."

kb-article

  • "## How it works
    Inbound Traffic, in this context, is network traffic originating from an untrusted network towards a private host or enclave.
    For example:

    * An untrusted network host connecting to a internal commercial portal, shopping.example.com
    * An external mail server connecting to an internal mail server, mail.example.com

    Filtering policies are developed by administrators to meet business requirements and limit connectivity. These policies are implemented on edge devices such as firewalls, routers, and intrusion prevention systems. Examples of filters:

    * Blocking incoming traffic from spoofed internally facing IP addresses
    * Blocking specific ports and services from establishing connections
    * Limiting specific IP ranges from connecting to the network
    * Dynamic inbound filtering (Hole punching, STUN, NAT-T)

    ## Considerations
    * Business requirements typically drive the development of filtering rulesets
    * Protocols using non-standard ports may circumvent filtering technology, which does not detect application protocol based on traffic content

    ## Implementations
    * OpenWRT (Embedded)
    * Netfilter (Linux)
    * Windows Firewall
    * pf(BSD)"

rdfs:label

  • "Inbound Traffic Filtering"

d3fend-id

  • "D3-ITF"

filters

kb-reference

Usage (18)

definition

  • "Analyzing vendor specific branch call recording in order to detect ROP style attacks."

kb-article

  • "## How it works

    This technique is used to detect an attacker attempting to exploit and execute code on a target system's call stack using return-oriented programming (ROP). Modern processors that have the ability to maintain a list of the branching calls, e.g., Intel's Last Branch Recording (LBR), can be used to track and analyze indirect branching calls that are indicative of malicious activity.

    In order to reduce the number of indirect branch calls to analyze to a manageable set it is assumed that malicious ROP activity will involve the use of system calls. The technique observes indirect branch calls that are part of paths that lead to system calls, all others are ignored. Branching calls chained together is often referred to as gadgets and gadgets are often used in ROP attacks. Indirect branch calls that involve a transfer from user-space to kernel-space are of interest for this technique.

    Identification of potential ROP exploit execution includes:

    - Inspecting the LBR when a system function call is made

    - The LBR is configured to return only instruction of interest (ret, indirect jmp, indirect calls)


    - Behavior is analyzed for
    - Ret instructions that appear to target areas not preceded by the call sites
    - Sequences of small code fragments that appear to be chained through the indirect branching calls (gadgets)


    - Of interest are returns that appear to not render control back after calls
    - Typical ret-call are paired
    - gadgets will appear to have ret followed by instruction of next instruction of the following gadget


    ## Considerations

    * May be operating system dependent since specific system calls are used to scope branching behavoir
    * Processors need to support access to a Last Branch Recording list feature
    * The size of the LBR stack can limit the expected size of the analyzed execution stack
    * If processor does not support LBR then overhead costs for the analysis can be significant"

rdfs:label

  • "Indirect Branch Call Analysis"

d3fend-id

  • "D3-IBCA"

kb-reference

Usage (18)

rdfs:label

  • "Initial Access"

display-order

  • 1

Usage (18)

rdfs:label

  • "Initial Access Technique"

enables

Usage (18)

comment

  • "In computing, an input device is a piece of equipment used to provide data and control signals to an information processing system such as a computer or information appliance. Examples of input devices include keyboards, mouse, scanners, digital cameras, joysticks, and microphones. Input devices can be categorized based on:"

isDefinedBy

  • http://dbpedia.org/resource/Input_device

rdfs:label

  • "Input Device"

Usage (18)

definition

  • "Operating system level mechanisms to prevent abusive input device exploitation."

kb-article

  • "## How it works

    Input Device Hardening techniques filter certain commands, or disable related operating system functionality.

    ### Analytics

    All of these values can be analyzed and compared to a baseline:

    * Amount of input
    * Duration of a single input
    * Durations between inputs
    * Value of input

    Context can also include:

    * User which is logged in, to include attributes such as physical location of the user
    * Date and time
    * System which is processing the input
    * Source device of input, to include its properties (eg. manufacturer), configuration (eg. keyboard layout) and behavioral attributes of this device (eg. first use)
    * Source system of input (local or remote system)
    * Other hardware devices attached to the system


    ### Actions

    Actions can include:

    * Disabling the source device
    * Sending an alert
    * Locking the current session (eg. system screen lock, or returning to an authentication screen in a web app) and requiring one or more methods of authentication to continue
    * Administratively disabling credentials for the account or the entire account -- the technique *Account Locking*


    ### Examples
    A malicious input device sends many keystrokes with approximately the same delay between each. This does not match the normal cadence of input, and the device is disabled.

    Input to type the session user's name takes abnormally longer for each keystroke. The system is locked to the password prompt screen.

    A system receives key press events from two different devices -- one device sends keystrokes after the other has been idle for a long time.

    A system receives physical input in a user session, while that user has sent input from a device located out of the country in the past hour.

    Network traffic is suddenly routed through a new external device, and nearly the same volume of network traffic is subsequently sent out the previously existing interface. The new external device is disabled, and an alert is raised to investigate the network configuration for a potential compromise.


    ## Considerations

    Given some example of legitimate behavioral input patterns, attackers could mimic those input patterns, a technique which has been used in popular culture in the creation of Deepfake videos and [This Person Does Not Exist](https://thispersondoesnotexist.com)."

rdfs:label

  • "Input Device Analysis"

analyzes

d3fend-id

  • "D3-IDA"

kb-reference

Usage (18)

definition

  • "The practice of setting decoys in a production environment to entice interaction from attackers."

kb-article

  • "## How it works
    Integrated honeynets use full production environments connected to the enterprise network, that utilize computing resources or software that attract attackers, and allow full interaction and access that provides a complete view of an attack.

    ## Considerations
    An attacker with control of a system on an Integrated Honeynet could:
    * try to attack other connected hosts on the network, its IP range of internal hosts not properly configured to react to connections from machines on the integrated honeynet, or position behind the firewall.
    * exploit its position by eavesdropping on network traffic
    If an attacker manages to stop the processes used to log an attack without setting off any alarms. [1]

    1. Honeypots for Windows, Roger Grimes, 2005"

rdfs:label

  • "Integrated Honeynet"

d3fend-id

  • "D3-IHN"

kb-reference

spoofs

Usage (18)

rdfs:label

  • "Internationalized Domain Name"

Usage (18)

rdfs:label

  • "Internet Article"

Usage (18)

comment

  • "Internet network traffic is network traffic that crosses a boundary between networks. [This is the general sense of inter-networking; It may or may not cross to or from the Internet]"

rdfs:label

  • "Internet Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

Usage (18)

comment

  • "In computer science, inter-process communication or inter-process communication (IPC) refers specifically to the mechanisms an operating system provides to allow processes it manages to share data. Typically, applications can use IPC categorized as clients and servers, where the client requests data and the server responds to client requests. Many applications are both clients and servers, as commonly seen in distributed computing. Methods for achieving IPC are divided into categories which vary based on software requirements, such as performance and modularity requirements, and system circumstances, such as network bandwidth and latency."

isDefinedBy

  • http://dbpedia.org/resource/Inter-process_communication

rdfs:label

  • "Interprocess Communication"

Usage (18)

comment

  • "Intranet administrative network traffic is administrative network traffic that does not cross a given network's boundaries and uses a standard administrative protocol."

rdfs:label

  • "Intranet Administrative Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Intranet

Usage (18)

comment

  • "Intranet file transfer traffic is file transfer traffic that does not cross a given network's boundaries and uses a standard file transfer protocol."

rdfs:label

  • "Intranet File Transfer Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/File_transfer
  • http://dbpedia.org/resource/Intranet

Usage (18)

comment

  • "Intranet IPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard inter-process communication (IPC) networking protocol."

rdfs:label

  • "Intranet IPC Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Inter-process_communication
  • http://dbpedia.org/resource/Intranet

may-contain

Usage (18)

comment

  • "Intranet IPC network traffic is multicast network traffic that does not cross a given network's boundaries."

rdfs:label

  • "Intranet Multicast Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Multicast

Usage (18)

comment

  • "An intranet is a private network accessible only to an organization's staff or delegates. Generally a wide range of information and services from the organization's internal IT systems are available that would not be available to the public from the Internet. A company-wide intranet can constitute an important focal point of internal communication and collaboration, and provide a single starting point to access internal and external resources. In its simplest form an intranet is established with the technologies for local area networks (LANs) and wide area networks (WANs)."

isDefinedBy

  • http://dbpedia.org/resource/Intranet

rdfs:label

  • "Intranet Network"

Usage (18)

comment

  • "Intranet network traffic is network traffic traversing that does not traverse a given network's boundaries."

rdfs:label

  • "Intranet Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Intranet

Usage (18)

comment

  • "Intranet web network traffic is network traffic that does not cross a given network's boundaries and uses a standard web protocol."

rdfs:label

  • "Intranet Web Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Intranet

may-contain

Usage (18)

definition

  • "The isolate tactic creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses."

rdfs:label

  • "Isolate"

display-order

  • 2

Usage (18)

comment

  • "A JavaScript Blob is a Blob that was created by a JavaScript Blob() constructor call or equivalent function."

rdfs:label

  • "JavaScript Blob"

Usage (18)

rdfs:label

  • "Javascript File"

Usage (18)

definition

  • "Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department."

kb-article

  • "## How it works
    Peer group analysis identifies functionally similar groups of actors (users or resources) based on categorizations such as job title, organizational hierarchy, or other attribute that indicates similarity of job function. Current user access activity is then compared to the appropriate peer group behavior profile to identify anomalies.

    ## Considerations
    Potential for false positives from anomalies that are not associated with malicious activity."

rdfs:label

  • "Job Function Access Pattern Analysis"

analyzes

d3fend-id

  • "D3-JFAPA"

kb-reference

Usage (18)

comment

  • "An access ticket/token issued by a Kerberos system."

rdfs:label

  • "Kerberos TIcket"

Usage (18)

comment

  • "A ticket granting ticket issued by a Kerberos system; that is, a ticket that grants a user domain admin access."

rdfs:label

  • "Kerberos Ticket Granting Ticket"

rdfs:seeAlso

  • http://dbpedia.org/resource/Ticket_Granting_Ticket

Usage (18)

comment

  • "The kernel is a computer program that constitutes the central core of a computer's operating system. It has complete control over everything that occurs in the system. As such, it is the first program loaded on startup, and then manages the remainder of the startup, as well as input/output requests from software, translating them into data processing instructions for the central processing unit. It is also responsible for managing memory, and for managing and communicating with computing peripherals, like printers, speakers, etc. The kernel is a fundamental part of a modern computer's operating system."

isDefinedBy

  • http://dbpedia.org/resource/Kernel_(operating_system)

rdfs:label

  • "Kernel"

contains

loads

manages

may-contain

Usage (18)

definition

  • "Using kernel-level capabilities to isolate processes."

rdfs:label

  • "Kernel-based Process Isolation"

d3fend-id

  • "D3-KBPI"

kb-reference

Usage (18)

altLabel

  • "LKM"
  • "Loadable Kernel Module"

comment

  • "A loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls. When the functionality provided by a LKM is no longer required, it can be unloaded in order to free memory and other resources.

    Most current Unix-like systems and Microsoft Windows support loadable kernel modules, although they might use a different name for them, such as kernel loadable module (kld) in FreeBSD, kernel extension (kext) in macOS,[1] kernel extension module in AIX, kernel-mode driver in Windows NT[2] and downloadable kernel module (DKM) in VxWorks. They are also known as kernel loadable modules (or KLM), and simply as kernel modules (KMOD)."

isDefinedBy

  • http://dbpedia.org/resource/Loadable_kernel_module

rdfs:label

  • "Kernel Module"

Usage (18)

comment

  • "A data structure in the kernel which is a table containing all of the information that must be saved when the CPU switches from running one process to another in a multitasking system. It allows the operating system to track all the process's execution status, and contains the For every process managed by the kernel, there is a process control block (PCB) in the process table."

isDefinedBy

  • https://encyclopedia2.thefreedictionary.com/process+table

rdfs:label

  • "Kernel Process Table"

rdfs:seeAlso

  • http://dbpedia.org/resource/Process_(computing)
  • https://www.geeksforgeeks.org/process-table-and-process-control-block-pcb/

Usage (18)

altLabel

  • "Computer Keyboard"
  • "Keyboard"

comment

  • "A computer keyboard is a typewriter-style device which uses an arrangement of buttons or keys to act as mechanical levers or electronic switches. Following the decline of punch cards and paper tape, interaction via teleprinter-style keyboards became the main input method for computers. A keyboard is also used to give commands to the operating system of a computer, such as Windows' Control-Alt-Delete combination. Although on Pre-Windows 95 Microsoft operating systems this forced a re-boot, now it brings up a system security options screen."

isDefinedBy

  • http://dbpedia.org/resource/Computer_keyboard

rdfs:label

  • "Keyboard Input Device"

Usage (18)

rdfs:label

  • "LDIF Record"

Usage (18)

kb-abstract

  • "LUKS is short for "Linux Unified Key Setup". It has initially been developed to remedy the unpleasantness a user experienced that arise from deriving the encryption setup from changing user space, and forgotten command line arguments. The result of this changes are an unaccessible encryption storage. The reason for this to happen was, a unstandardised way to read, process and set up encryption keys, and if the user was unlucky, he upgraded to an incompatible version of user space tools that needed a good deal of knowledge to use with old encryption volumes."

kb-author

  • "Clemens Fruhwirth"

rdfs:label

  • "LUKS1 On-Disk Format SpecificationVersion 1.2.3"

kb-reference-of

kb-reference-title

  • "LUKS1 On-Disk Format SpecificationVersion 1.2.3"

Usage (18)

rdfs:label

  • "Lateral Movement"

display-order

  • 8

Usage (18)

rdfs:label

  • "Lateral Movement Technique"

enables

Usage (18)

comment

  • "In computing, a legacy system is an old method, technology, computer system, or application program, "of, relating to, or being a previous or outdated computer system," yet still in use. Often referencing a system as "legacy" means that it paved the way for the standards that would follow it. This can also imply that the system is out of date or in need of replacement."

isDefinedBy

  • http://dbpedia.org/resource/Legacy_system

rdfs:label

  • "Legacy System"

Usage (18)

comment

  • "test"

rdfs:label

  • "Linux ELF File 32bit"

Usage (18)

rdfs:label

  • "Linux ELF File 64bit"

Usage (18)

rdfs:label

  • "Linux Exec"

Usage (18)

rdfs:label

  • "Linux Process"

Usage (18)

definition

  • "Analyzing local user accounts to detect unauthorized activity."

rdfs:label

  • "Local Account Monitoring"

analyzes

d3fend-id

  • "D3-LAM"

kb-reference

Usage (18)

altLabel

  • "LAN"

comment

  • "A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building and has its network equipment and interconnects locally managed. Ethernet and Wi-Fi are the two most common transmission technologies in use for local area networks. Historical technologies include ARCNET, Token ring, and AppleTalk."

isDefinedBy

  • http://dbpedia.org/resource/Local_area_network

rdfs:label

  • "Local Area Network"

may-contain

Usage (18)

comment

  • "Intranet local area network (LAN) traffic is network traffic that does not cross a given network's boundaries; where that network is defined as a LAN."

rdfs:label

  • "Local Area Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Intranet

Usage (18)

definition

  • "Restricting access to a local file by configuring operating system functionality."

rdfs:label

  • "Local File Permissions"

d3fend-id

  • "D3-LFP"

kb-reference

restricts

Usage (18)

altLabel

  • "System Resource"

comment

  • "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource)."

rdfs:label

  • "Local Resource"

rdfs:seeAlso

  • http://dbpedia.org/resource/System_resource

Usage (18)

altLabel

  • "Endpoint Resource Access"

comment

  • "Ephemeral digital artifact comprising a request of a local resource and any response from that resource."

rdfs:label

  • "Local Resource Access"

accesses

Usage (18)

comment

  • "A user account on a given host is a local user account for that specific host."

rdfs:label

  • "Local User Account"

Usage (18)

altLabel

  • "Chronology"

comment

  • "A record of events in the order of their occurrence."

isDefinedBy

  • http://wordnet-rdf.princeton.edu/id/06515215-n

rdfs:label

  • "Log"

rdfs:seeAlso

  • http://dbpedia.org/resource/Chronology

Usage (18)

comment

  • "A log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file.

    A transaction log is a file (i.e., log) of the communications between a system and the users of that system, or a data collection method that automatically captures the type, content, or time of transactions made by a person from a terminal with that system. For Web searching, a transaction log is an electronic record of interactions that have occurred during a searching episode between a Web search engine and users searching for information on that Web search engine.

    Many operating systems, software frameworks and programs include a logging system. A widely used logging standard is syslog, defined in Internet Engineering Task Force (IETF) RFC 5424). The syslog standard enables a dedicated, standardized subsystem to generate, filter, record, and analyze log messages. This relieves software developers of having to design and code their own ad hoc logging systems."

isDefinedBy

  • http://dbpedia.org/resource/Log_file

rdfs:label

  • "Log File"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/06515875-n

contains

Usage (18)

comment

  • "In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. On Unix and Unix-like operating systems, a login session takes one of two main forms: (a) When a textual user interface is used, a login session is represented as a kernel session -- a collection of process groups with the logout action managed by a session leader, and (b) Where an X display manager is employed, a login session is considered to be the lifetime of a designated user process that the display manager invokes."

isDefinedBy

  • http://dbpedia.org/resource/Login_session

rdfs:label

  • "Login Session"

Usage (18)

kb-abstract

  • "ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.

    ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2019-07-002: Lsass Process Dump via Procdump - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2019-07-002: Lsass Process Dump via Procdump"

Usage (18)

rdfs:label

  • "Lua Script File"

Usage (18)

rdfs:label

  • "Application Developer Guidance"

d3fend-comment

  • "A future release of D3FEND will define a taxonomy of Source Code Hardening Techniques."

Usage (18)

rdfs:label

  • "Active Directory Configuration"

d3fend-comment

  • "M1015 scope is broad, touches on an wide variety of techniques in D3FEND."

Usage (18)

rdfs:label

  • "Vulnerability Scanning"

d3fend-comment

  • "Future D3FEND releases will model the scanning and inventory domains."

Usage (18)

rdfs:label

  • "User Training"

d3fend-comment

  • "Modeling user training is outside the scope of D3FEND."

Usage (18)

rdfs:label

  • "User Account Management"

Usage (18)

rdfs:label

  • "Threat Intelligence Program"

d3fend-comment

  • "Establishing and running a Threat Intelligence Program is outside the scope of D3FEND."

Usage (18)

rdfs:label

  • "SSL/TLS Inspection"

d3fend-comment

  • "D3FEND models this as an infrastructure dependency to support D3-NTA."

Usage (18)

rdfs:label

  • "Restrict Web-Based Content"

d3fend-comment

  • "M1021 scope is broad, touches on an wide variety of techniques in d3fend."

Usage (18)

rdfs:label

  • "Restrict File and Directory Permissions"

Usage (18)

rdfs:label

  • "Restrict Registry Permission"

Usage (18)

rdfs:label

  • "Privileged Process Integrity"

Usage (18)

rdfs:label

  • "Privileged Account Management"

Usage (18)

rdfs:label

  • "Password Policies"

Usage (18)

rdfs:label

  • "Operating System Configuration"

Usage (18)

rdfs:label

  • "Remote Data Storage"

d3fend-comment

  • "IT disaster recovery plans are outside the current scope of D3FEND."

Usage (18)

rdfs:label

  • "Network Segmentation"

Usage (18)

rdfs:label

  • "Network Intrusion Prevention"

Usage (18)

rdfs:label

  • "Multi-factor Authentication"

Usage (18)

rdfs:label

  • "Limit Software Installation"

Usage (18)

rdfs:label

  • "Limit Hardware Installation"

Usage (18)

rdfs:label

  • "Limit Access to Resource Over Network"

Usage (18)

rdfs:label

  • "Account Use Policies"

d3fend-comment

  • "D3-AZET may be related (is potentially related though not called out in ATT&CK definition.)"

Usage (18)

rdfs:label

  • "Filter Network Traffic"

Usage (18)

rdfs:label

  • "Execution Prevention"

Usage (18)

rdfs:label

  • "Environment Variable Permissions"

Usage (18)

rdfs:label

  • "Behavior Prevention on Endpoint"

Usage (18)

rdfs:label

  • "Encrypt Sensitive Information"

Usage (18)

rdfs:label

  • "Disable or Remove Feature or Program"

Usage (18)

rdfs:label

  • "Credential Access Protection"

Usage (18)

rdfs:label

  • "Restrict Library Loading"

d3fend-comment

  • "D3-SCF is one possible way to filter library loading."

Usage (18)

rdfs:label

  • "Code Signing"

Usage (18)

rdfs:label

  • "Boot Integrity"

Usage (18)

rdfs:label

  • "Audit"

d3fend-comment

  • "M1047 scope is broad, touches on an wide variety of techniques in d3fend."

Usage (18)

rdfs:label

  • "Application Isolation and Sandboxing"

d3fend-comment

  • ""Sandboxing" is often used to describe a detection environment which includes some forms of analysis (see D3-DA.)" Many forms of isolation (e.g., quarantining) are more static in nature and simply limit software's access to system resources."

Usage (18)

rdfs:label

  • "Antivirus/Antimalware"

d3fend-comment

  • "Process Analysis and subclasses."

Usage (18)

rdfs:label

  • "Exploit Protection"

Usage (18)

rdfs:label

  • "Update Software"

Usage (18)

rdfs:label

  • "User Account Control"

Usage (18)

rdfs:label

  • "Data Backup"

d3fend-comment

  • "Comprehensive IT disaster recovery plans are outside the current scope of D3FEND."

Usage (18)

rdfs:label

  • "Software Configuration"

Usage (18)

rdfs:label

  • "Do Not Mitigate"

Usage (18)

rdfs:label

  • "Pre-compromise"

Usage (18)

rdfs:label

  • "MSG Email File"

Usage (18)

altLabel

  • "Keychain"

comment

  • "Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes."

isDefinedBy

  • http://dbpedia.org/resource/Keychain_(software)

rdfs:label

  • "MacOS Keychain"

Usage (18)

comment

  • "Mail traffic is network traffic that uses a standard mail transfer protocol."

rdfs:label

  • "Mail Network Traffic"

contains

Usage (18)

altLabel

  • "Email Server Resource"
  • "MTA"
  • "MX Host"
  • "Mail Exchanger"
  • "Mail transfer agent"
  • "Message transfer agent"

comment

  • "Within the Internet email system, a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host are also used in some contexts. Messages exchanged across networks are passed between mail servers, including any attached data files (such as images, multimedia or documents). These servers also often keep mailboxes for email. Access to this email by end users is typically either via webmail or an email client."

isDefinedBy

  • http://dbpedia.org/resource/Message_transfer_agent

rdfs:label

  • "Mail Server"

Usage (18)

definition

  • "Controlling access to local computer system resources with kernel-level capabilities."

kb-article

  • "## How it works
    Mandatory access control is a non-discretionary access control system because the rules and polices that determine access is determined by a security control authority and not distributed to local users. Access determinations are based on designed access control polices and are not based on local resource owner determinations.

    Access is typically granted by defining sets of subjects and sets of objects. Subjects are the entities requesting access and objects are the resources that subjects are trying to access. Rules and policies are defined that associate subjects and object permissions and access controls.

    ### Common MAC implementations
    #### Security label access control
    A fine-grained form of mandatory access control is to apply security labels to individual resources, including processes, and the access control decisions are against a particular resource and a given user attempting to gain access. This type of MAC requires that the file system has built-in support for security labels.

    Access controls are typically implemented through the use of label identifiers for every file system object. Identifier labels are applied to resources and users are assigned a similar access identifier. Users attempting to access a resource will result in the operating system performing an access control check. The access control check will compare the assigned user's credentials to that of the resource or object they are attempting to access.

    A security context is associated with resources and is used to determine assess. Typical basic access control elements include users, roles and types and together they form a security context which is the basis for the security labels.

    This type of access control is what is employed in SELinux [2]. This form of MAC is considered the most flexible implementation, but it also is the most complex to deploy across the enterprise. Where multiple virtual machines (VM) are run together this type of access control is typically employed to ensure true isolation of processes and VMs.

    #### File path level controls
    A less fine-grained form of mandatory access control is to apply security labels that allow for access control at the file path level. Access control is filesystem agnostic and no relabeling of resources is required. Pathname access control usually seems more natural for implementation and corresponding access audits.

    This type of MAC is what is employed in AppArmor [3]. AppArmor was developed to provide a simpler alternative MAC method with much less management overhead. A simple access policy is maintained that defines path resource access rules. Access control attributes are typically associated with programs instead of users.


    ## Considerations
    Some implementations of security label mandatory access control contain complex rules set that are hard to verify and complex to maintain over time.

    Initial planning of access model and continuous monitoring of the available users, resources and object is necessary.

    ## Implementations

    * Linux C-Groups, and policy engines like SELinux and AppArmor
    * Windows Mandatory Integrity Control introduced in Windows Vista


    ### Citations
    1. [Implementation of Mandatory Access Control in Distributed Systems](https://link.springer.com/article/10.3103/S0146411618080357)
    2. [SELinux](https://selinuxproject.org/)
    3. [AppArmor](https://www.apparmor.net/)"

rdfs:label

  • "Mandatory Access Control"

d3fend-id

  • "D3-MAC"

isolates

kb-reference

Usage (18)

rdfs:label

  • "Marketing Material"

Usage (18)

definition

  • "Analyzing a call stack for return addresses which point to unexpected memory locations."

kb-article

  • "## How it works
    This technique monitors for indicators of whether a return address is outside memory previously allocated for an object (i.e. function, module, process, or thread). If so, code that the return address points to is treated as malicious code.

    ## Considerations
    Kernel malware can manipulate memory contents, for example modifying pointers to hide processes, and thereby impact the accuracy of memory allocation information used to perform the analysis."

rdfs:label

  • "Memory Boundary Tracking"

analyzes

d3fend-id

  • "D3-MBT"

kb-reference

Usage (18)

definition

  • "Analyzing email or instant message content to detect unauthorized activity."

kb-article

  • "## Technique Overview

    Email and messaging are frequently used to deliver malicious content to targets. These enterprise capabilities are used to deliver software exploits or social engineering tricks. If the recipient of a message trusts the sender, attackers can avoid escalating suspicion.

    Emails and messages are also complex data structures. They contain files and links, and complex data encodings which vary region to region. Thus the defensive techniques used to analyze emails and messages are highly varied ranging from deep content analysis and execution to social network graph-style analytics to analyze trust or risk."

rdfs:label

  • "Message Analysis"

synonym

  • "Electronic Message Analysis"
  • "Email Or Messaging Analysis"

d3fend-id

  • "D3-MA"

enables

Usage (18)

definition

  • "Authenticating the sender of a message and ensuring message integrity."

kb-article

  • "## How it works

    ### Digital Signature
    Digital signatures are used to verifying a message is from the expected sender. In email, Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol is typically used to digitally sign messages. A hash value of the sender's message is created and encrypted with the sender's private key to create a digital signature. The message and the digital signature are sent to the recipient where the sender's public key is used to decrypt the digital signature and compute the hash of the message. The computed hash is compared with the hash from the received message, and any difference in the hash values signify the message did not originate from the sender and has been alerted in transit.

    ### Message Authentication Code (MAC)
    MAC is a fixed size string that is appended to a message to provide message authentication and integrity. The sender MAC signing algorithm takes as input a secret symmetric key shared between sender and recipient and the message to calculate a short tag that is appended to the message. The recipient receives the message with the appended tag, and a MAC verification algorithm is run using the symmetric key to verify the message came from the stated sender and ensure the message has not been tampered with.

    ## Considerations
    - Public keys associated with digital signatures should be verified by a Certification Authority (CA) to prevent impersonation. The CA verifies the owner of a public key and puts the sender's identity and public key into a certificate that is signed by the CA.
    - Digital signatures provide non-repudiation where a third party can verify the authenticity of the message using the sender's digital certificate signed by the CA.
    - Symmetric keys must be exchanged securely via a private channel and management of new symmetric keys are needed for each pair of participants wishing to exchange messages."

rdfs:label

  • "Message Authentication"

authenticates

d3fend-id

  • "D3-MAN"

kb-reference

Usage (18)

definition

  • "Encrypting a message body using a cryptographic key."

kb-article

  • "## How it works

    ### Asymmetric Cryptography
    Asymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. The sender encrypts messages using the recipient's public key and the receipt decrypts the message using their private key. Standards that can be used to implement message encryption include S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP.
    ### Symmetric Cryptography
    Symmetric encryption uses the same cryptographic key by both the sender and receiver to encrypt and decrypt a message. Asymmetric key exchange protocols such as Diffie-Hellman can be used to share the cryptographic key with the recipient.

    ## Considerations
    - Separate configuration settings to enable message encryption are often needed for each messenger client (e.g. webmail, desktop client, mobile).
    - Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted.
    - Secure transfer of private keys between multiple devices."

rdfs:label

  • "Message Encryption"

d3fend-id

  • "D3-MENCR"

encrypts

kb-reference

Usage (18)

definition

  • "Email or Messaging Hardening includes measures taken to ensure the confidentiality and integrity of user to user computer messages."

rdfs:label

  • "Message Hardening"

synonym

  • "Email Or Messaging Hardening"

d3fend-id

  • "D3-MH"

enables

Usage (18)

altLabel

  • "MTA"
  • "Mail Transfer Agent"

comment

  • "A message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client-server application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol."

rdfs:label

  • "Message Transfer Agent"

rdfs:seeAlso

  • http://dbpedia.org/resource/Message_transfer_agent

Usage (18)

rdfs:label

  • "Microsoft VCCLCompilerTool BufferSecurityCheck"

Usage (18)

rdfs:label

  • "Microsoft Word DOCB File"

Usage (18)

rdfs:label

  • "Microsoft Word DOC File"

Usage (18)

rdfs:label

  • "Microsoft Word DOCM File"

Usage (18)

rdfs:label

  • "Microsoft Word DOCX File"

Usage (18)

rdfs:label

  • "Microsoft Word DOT File"

Usage (18)

rdfs:label

  • "Microsoft Word DOTM File"

Usage (18)

rdfs:label

  • "Microsoft Word DOTX File"

Usage (18)

rdfs:label

  • "Microsoft Word WBK File"

Usage (18)

altLabel

  • "Rename File"

comment

  • "A system call to rename or move a file. Linux's rename() is an example of this kind of system call."

rdfs:label

  • "Move File"

rdfs:seeAlso

  • https://man7.org/linux/man-pages/man2/rename.2.html

modifies

Usage (18)

definition

  • "Requiring proof of two or more pieces of evidence in order to authenticate a user."

kb-article

  • "## How it works
    When logging into an account users present two or more credentials that fall into different categories: something you know (password or PIN), something you have (smart card or phone), or something you are (fingerprint).

    ## Considerations
    MFA configuration steps may vary across accounts and in some cases left up to users to activate and implement."

rdfs:label

  • "Multi-factor Authentication"

authenticates

d3fend-id

  • "D3-MFA"

kb-reference

Usage (18)

comment

  • "A directory resource made available from one host to other hosts on a computer network."

rdfs:label

  • "Network Directory Resource"

contains

Usage (18)

comment

  • "A computer file resource made available from one host to other hosts on a computer network."

rdfs:label

  • "Network File Resource"

contains

Usage (18)

comment

  • "A shared file resource, or network file share, is a computer file made available from one host to other hosts on a computer network. Network sharing is made possible by inter-process communication over the network. It includes both files and directories."

rdfs:label

  • "Network File Share Resource"

Usage (18)

comment

  • "A summarization of network transactions between a client and server. It often summarizes bytes sent, bytes received, and protocol flags."

rdfs:label

  • "Network Flow"

summarizes

Usage (18)

comment

  • "A computer file resource made available from one host to other hosts on a computer network that is also an initialization script."

rdfs:label

  • "Network Init Script File Resource"

Usage (18)

definition

  • "Network Isolation techniques prevent network hosts from accessing non-essential system network resources."

rdfs:label

  • "Network Isolation"

d3fend-id

  • "D3-NI"

enables

Usage (18)

comment

  • "In telecommunications networks, a node (Latin nodus, 'knot') is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communications channel. A passive distribution point such as a distribution frame or patch panel is consequently not a node."

isDefinedBy

  • http://dbpedia.org/resource/Node_(networking)

rdfs:label

  • "Network Node"

runs

Usage (18)

comment

  • "A network packet is a formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream. When data is formatted into packets, packet switching is possible and the bandwidth of the communication medium can be better shared among users than with circuit switching."

isDefinedBy

  • http://dbpedia.org/resource/Network_packet

rdfs:label

  • "Network Packet"

Usage (18)

altLabel

  • "Shared Resource"

comment

  • "In computing, a shared resource, or network share, is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet, transparently as if it were a resource in the local machine.Network sharing is made possible by inter-process communication over the network."

rdfs:label

  • "Network Resource"

rdfs:seeAlso

  • http://dbpedia.org/resource/Shared_resource

Usage (18)

comment

  • "Ephemeral digital artifact comprising a request of a network resource and any response from that network resource."

rdfs:label

  • "Network Resource Access"

accesses

Usage (18)

comment

  • "A network session is a temporary and interactive information interchange between two or more devices communicating over a network. A session is established at a certain point in time, and then 'torn down' - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. Network sessions may be established and implemented as part of protocols and services at the application, session, or transport layers of the OSI model."

rdfs:label

  • "Network Session"

rdfs:seeAlso

  • http://dbpedia.org/resource/OSI_model
  • http://dbpedia.org/resource/Session_(computer_science)

contains

Usage (18)

altLabel

  • "Data Traffic"

comment

  • "Network traffic or data traffic is the data, or alternatively the amount of data, moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network."

rdfs:label

  • "Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Network_traffic

may-contain

originates-from

Usage (18)

definition

  • "Analyzing intercepted or summarized computer network traffic to detect unauthorized activity."

rdfs:label

  • "Network Traffic Analysis"

d3fend-id

  • "D3-NTA"

enables

Usage (18)

definition

  • "Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication."

kb-article

  • "## How it works
    Hosts/users within a computer network are analyzed to identify communities of hosts which frequently communicate. Future communications between communities that don't usually communicate can then be detected. For example, if a community of hosts that communicate in support of a company's finance division suddenly starts to access the code server usually accessed only by engineers, this may indicate unauthorized activity.

    ## Considerations
    * Potential for false positives in very dynamic network environments.
    * Attackers that move low and slow may not differentiate their behavior enough to trigger an alert."

rdfs:label

  • "Network Traffic Community Deviation"

analyzes

d3fend-id

  • "D3-NTCD"

kb-reference

Usage (18)

definition

  • "Restricting network traffic originating from any location."

rdfs:label

  • "Network Traffic Filtering"

d3fend-id

  • "D3-NTF"

filters

kb-reference

Usage (18)

comment

  • "Relocatable machine code"

rdfs:label

  • "Object File"

rdfs:seeAlso

  • http://dbpedia.org/resource/Object_file

Usage (18)

comment

  • "An office application is one that is part of an application suite (e.g., Microsoft Office, Open Office)."

rdfs:label

  • "Office Application"

Usage (18)

comment

  • "A document file in a format associated with an d3f:OfficeApplication."

rdfs:label

  • "Office Application File"

rdfs:seeAlso

Usage (18)

definition

  • "A one-time password is valid for only one user authentication."

kb-article

  • "## How it works

    When a user initiates authentication, they are asked for a one-time password, often in addition to other credentials such as a traditional password or smart card. The one-time password may be from a list provided in advance, sent via a channel such as SMS or HTTPS to an app, or a generated token.

    In the case of a physical token which generates one-time passwords incrementally based on time elapsed, that token device need not be connected to the internet. In different implementations, an administrator of the system, or a user with additional verification, can adjust for clock skew between the token and the verification system as needed.

    ## Considerations

    ### Compromise of delivery channel
    - SIM Swapping
    - Secure token visual compromise
    - Insecure delivery channel

    ### Compromise of delivery device
    Physical loss of One-time Password device.

    ### Compromise of long-term backup codes
    These are often provided in the form of a downloadable document with a regular name, which can be searched for in the case that the user forgets where they put them. This digital file or printed document could be stolen.
    Additionally, after the code file is printed, it could be recovered from the system printer spool unless the spooler cache is cleared."

rdfs:label

  • "One-time Password"

rdfs:seeAlso

  • http://dbpedia.org/resource/One-time_password

synonym

  • "OTP"

authenticates

d3fend-id

  • "D3-OTP"

kb-reference

use-limits

Usage (18)

comment

  • "An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs. All computer programs, excluding firmware, require an operating system to function. Time-sharing operating systems schedule tasks for efficient use of the system and may also include accounting software for cost allocation of processor time, mass storage, printing, and other resources."

rdfs:label

  • "Operating System"

rdfs:seeAlso

  • http://dbpedia.org/resource/Operating_system

contains

may-contain

Usage (18)

altLabel

  • "Operating System Configuration Information"
  • "System Configuration"

comment

  • "An component of the overall information necessary for the configuration of an operating system."

rdfs:label

  • "Operating System Configuration Component"

rdfs:seeAlso

  • http://wordnet-rdf.princeton.edu/id/03085025-n

Usage (18)

altLabel

  • "System Configuration File"

comment

  • "An operating system configuration file is a file used to configure the operating system."
  • "System configuration files configure system-wide software and services, as well as the operating system which supports scheduling and executing this software, as well as the configuration of peripherals."

rdfs:label

  • "Operating System Configuration File"

rdfs:seeAlso

  • http://dbpedia.org/resource/Configuration_file
  • "Configuration File"
  • "Operating System"

Usage (18)

comment

  • "An operating system executable is a critical executable that is part of the operating system, and without which, the operating system may not operate correctly."

rdfs:label

  • "Operating System Executable File"

Usage (18)

comment

  • "An operating system file is a file that is part of, or used to store information about, the operating system itself."

rdfs:label

  • "Operating System File"

rdfs:seeAlso

  • http://dbpedia.org/resource/Operating_system
  • http://dbpedia.org/resource/System_file

Usage (18)

comment

  • "An operating system log file records events that occur in an operating system"

isDefinedBy

  • http://dbpedia.org/resource/Log_file

rdfs:label

  • "Operating System Log File"

rdfs:seeAlso

  • "Log File"

Usage (18)

definition

  • "The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**."

kb-article

  • "## Technique Overview

    "An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs." [1]

    Operating System Monitoring Techniques have varied implementations including built-in kernel modules, third-party privileged system daemons, or even standard systems administration tools included with an operating system.

    1. http://dbpedia.org/resource/Operating_system"

rdfs:label

  • "Operating System Monitoring"

d3fend-id

  • "D3-OSM"

enables

kb-reference

Usage (18)

altLabel

  • "System Process"

comment

  • "An operating system process, or system process, is a process running to perform operating system functions."

rdfs:label

  • "Operating System Process"

rdfs:seeAlso

  • http://people.scs.carleton.ca/~maheshwa/courses/300/l4/node7.html

Usage (18)

comment

  • "An operating system shared library file is a shared library file that is part of the operating system and that incorporates common operating system code for use by any application or to provide operating system services."

rdfs:label

  • "Operating System Shared Library File"

rdfs:seeAlso

  • http://dbpedia.org/resource/Library_(computing)#Shared_libraries

Usage (18)

comment

  • "An orchestration server provides orchestration services that automate the configuration, coordination, and management of computer systems and software."

rdfs:label

  • "Orchestration Controller"

contains

Usage (18)

comment

  • "Outbound internet DNS lookup traffic is network traffic using the DNS protocol on an outgoing connection initiated from a host within a network to a host outside the network."

rdfs:label

  • "Outbound Internet DNS Lookup Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

may-contain

Usage (18)

altLabel

  • "Outbound Internet Encrypted RDP Traffic"
  • "Outbound Internet Encrypted SSH Traffic"

comment

  • "Outbound internet encrypted remote terminal traffic is encrypted network traffic for a standard remote terminal protocol on an outgoing connection initiated from a host within a network to a host outside the network."

rdfs:label

  • "Outbound Internet Encrypted Remote Terminal Traffic"

Usage (18)

comment

  • "Outbound internet encrypted traffic is encrypted network traffic on an outgoing connection initiated from a host within a network to a host outside the network."

rdfs:label

  • "Outbound Internet Encrypted Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

Usage (18)

comment

  • "Outbound internet encrypted web traffic is network traffic using a standard web protocol on an outgoing connection initiated from a host within a network to a host outside the network."

rdfs:label

  • "Outbound Internet Encrypted Web Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

Usage (18)

comment

  • "Outbound internet file transfer traffic is file transfer traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard file transfer protocol."

rdfs:label

  • "Outbound Internet File Transfer Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/File_transfer
  • http://dbpedia.org/resource/Internetworking

contains

Usage (18)

altLabel

  • "Outbound Internet Email Traffic"

comment

  • "Outbound internet DNS lookup traffic is network traffic using a standard email protocol on an outgoing connection initiated from a host within a network to a host outside the network."

rdfs:label

  • "Outbound Internet Mail Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

Usage (18)

comment

  • "Outbound internet network traffic is network traffic on an outgoing connection initiated from a host within a network to a host outside the network."

rdfs:label

  • "Outbound Internet Network Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

Usage (18)

comment

  • "Outbound internet web traffic is network traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard web protocol."

rdfs:label

  • "Outbound Internet Web Traffic"

rdfs:seeAlso

  • http://dbpedia.org/resource/Internetworking

may-contain

Usage (18)

comment

  • "Outbound traffic is network traffic originating from a host of interest (client), to another host (server)."

rdfs:label

  • "Outbound Network Traffic"

Usage (18)

definition

  • "Restricting network traffic originating from a private host or enclave destined towards untrusted networks."

kb-article

  • "## How it works

    Outbound traffic, in this context, is network traffic originating from a private host or enclave destined towards untrusted networks.
    For example:

    * An enterprise desktop intranet user connecting to www.example.com
    * An internal mail server connecting to an external mail server, mail.example.com

    Filtering is commonly implemented as firewall rulesets to limit outbound traffic permitted to egress a host or network. Firewalls are deployed either directly on hosts through kernel level software implementations or installed in-line directly on network links. There are benefits and disadvantages to each approach.

    There are various strategies for developing filtering rulesets:

    * Block everything by default
    * Limit destination hosts
    * Limit destination transport or application protocols
    * Restrict content outbound (Ex. strings formatted as social security numbers, or proprietary data)

    ## Considerations
    * Dynamic IP assignment creates challenges for Outbound Traffic Filtering because users are not necessarily associated with the same IP address. This can be addressed by linking IP address management information with the filtering logic.
    * Connections using non-standard transport layer ports may circumvent outbound traffic filtering technology which does not detect application protocol based on traffic content.
    * Business requirements typically drive the development of filtering rule sets.

    ## Implementations
    - iptables (Linux)
    - Windows Firewall
    - pf (BSD)"

rdfs:label

  • "Outbound Traffic Filtering"

d3fend-id

  • "D3-OTF"

filters

kb-reference

Usage (18)

kb-abstract

  • "Many programs create command prompts as part of their normal operation including malware used by attackers. This analytic attempts to identify suspicious programs spawning cmd.exe by looking for programs that do not normally create cmd.exe.

    While this analytic does not take the user into account, doing so could generate further interesting results. It is very common for some programs to spawn cmd.exe as a subprocess, for example to run batch files or windows commands. However many process don't routinely launch a command prompt - for example Microsoft Outlook. A command prompt being launched from a process that normally doesn't launch command prompts could be the result of malicious code being injected into that process, or of an attacker replacing a legitimate program with a malicious one."

kb-author

  • "MITRE"

kb-mitre-analysis

  • ""

kb-mitre-analysis

  • "MITRE"

rdfs:label

  • "Reference - CAR-2014-11-002: Outlier Parents of Cmd - MITRE"

kb-reference-of

  • 'Process Lineage Analysis'

kb-reference-title

  • "CAR-2014-11-002: Outlier Parents of Cmd"

Usage (18)

rdfs:label

  • "PE32 Executable File"

Usage (18)

rdfs:label

  • "PE32+ Executable File"

Usage (18)

comment

  • "A log of all the network packet data captured from a network by a network sensor (i.e., packet analyzer),"

rdfs:label

  • "Packet Log"

rdfs:seeAlso

  • http://dbpedia.org/resource/Packet_analyzer

records

Usage (18)

altLabel

  • "Disk Partition"
  • "Disk Slice"

comment

  • "A partition is a region on secondary storage device created so that the region can be managed by itself; separate from any other regions (partitions) on that secondary storage device. Creating partitions is typically the first step of preparing a newly installed storage device, before any file system is created. The device stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" storage device that uses part of the actual device. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. [Definition adapted as generalization from definition of disk partitioning and distinct from in-memory partitions.]"

isDefinedBy

  • http://dbpedia.org/resource/Disk_partitioning

rdfs:label

  • "Partition"

rdfs:seeAlso

  • http://dbpedia.org/resource/Partition_table
  • http://dbpedia.org/resource/Memory_management_(operating_systems)

Usage (18)

comment

  • "A partition is a fixed-size subset of a storage device which is treated as a unit by the operating system. A partition table is a table maintained on the storage device by the operating system describing the partitions on that device. The terms partition table and partition map are most commonly associated with the MBR partition table of a Master Boot Record (MBR) in IBM PC compatibles, but it may be used generically to refer to other "formats" that divide a disk drive into partitions, such as: GUID Partition Table (GPT), Apple partition map (APM), or BSD disklabel."

isDefinedBy

  • http://dbpedia.org/resource/Partition_table

rdfs:label

  • "Partition Table"

addresses

Usage (18)

comment

  • "Passively collecting certificates and analyzing them."

definition

  • "Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity."

kb-article

  • "## How it works
    Certificates are analyzed outside of a TLS server connection using third-party secure update logs, domain name analysis and analytics.

    ### Secure update certificate logs
    * Certificate Logs
    The key enabling feature is a secure service that maintains record logs of certificate activities. The logs allow users to only append certificates and never to delete or modify the log entries. The logs use Merkle Tree Hashes to ensure they have not been tampered with. The logging service also allows for public auditing by any user.

    The logging service, upon receipt of a certificate to log, will respond with a signed certificate timestamp (SCT). The SCT guarantees the certificate will be added to the log within the time specified. The SCT must be present with the certificate during a TLS handshake.

    * Certificate Monitoring
    Certificate monitoring, of the logs, is typically done by the CA and they watch for suspicious certificate logging and unusual certificates or extensions or permissions. Monitors are also responsible for verifying the logs are accurate and public.

    * Certificate Auditors
    Log integrity is verified by log auditors. Auditors make use of log proofs are used to validate the cryptographic hashes (Merkle Trees) that the log employs are consistent. In order to ensure consistency throughout multiple monitors and auditors, sharing a common logging service, gossip protocol is employed.

    ### Phishing domain name analysis
    * A curated corpus of known benign domains and phishing domain names is used as training text for machine learning. Through the use of feature set extraction, vectors labels are created with scoring to indicated if they are considered benign or phishing domains.

    * A stream of new or updated SSL certificates with fully qualified domain names (FQDN) is analyzed against the feature vectors and a predictive model determines a score for the domains. The scoring considers distance measures such as Levenshtein distance to help in determining the final label score. Supervised learning is also employed using the curated domains of benign and phishing domains.

    * Subdomain phishing analysis, prepending a trusted domain to a phishing domain, and regular expression comparisons are also used in the label scoring model. A tunable measure is used to determine the threshold for alerting. This measure helps to balance between precision and recall measures.

    ## Considerations
    * Some entity will need to run the logging service and a trusted entity is preferred.
    * Certificate Authorities will likely need to monitor the logging service for consistency.
    * Certificate revocation is unchanged and remains outside of Certificate Transparency, but certificates needing to be revoked are visible.
    * Technique dependent of reliable feed of new and updated certificates
    * Some certificate authorities allow for certificates to be registered with wildcards in the FQDN and thus will fail some of the subdomain scoring
    * Phishing HTTP domains will not be discovered"

rdfs:label

  • "Passive Certificate Analysis"

d3fend-id

  • "D3-PCA"

kb-reference

Usage (18)

altLabel

  • "Passcode"

comment

  • "A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm the identity of a user. Using the terminology of the NIST Digital Identity Guidelines, the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity."

isDefinedBy

  • http://dbpedia.org/resource/Password

rdfs:label

  • "Password"

Usage (18)

comment

  • "Simple form of password database held in a single file (e.g., /etc/password)"

rdfs:label

  • "Password File"

Usage (18)

comment

  • "A user repository of account passwords, often accessed via a password manager."

rdfs:label

  • "Password Store"

rdfs:seeAlso

  • http://dbpedia.org/resource/Password_manager

Usage (18)

rdfs:label

  • "Patent"

Usage (18)

definition

  • "Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host."

kb-article

  • "## How it works
    Aggregate pull vs. push ratios from metadata are used to develop a baseline for a given host over a specific time period, e.g., over a three-hour period, one day, one week, etc. Anomalies identified over a threshold produce an alert.

    ## Considerations
    Collection and analysis of large network packet captures requires large storage and intensive computing power. The time windows used to calculate the ratio may vary in implementations, this consideration should take into account a threat model and likely effects (impacts) delivered by an adversary."

rdfs:label

  • "Per Host Download-Upload Ratio Analysis"

analyzes

d3fend-id

  • "D3-PHDURA"

kb-reference

Usage (18)

comment

  • "Firmware that is installed on computer peripheral devices."

rdfs:label

  • "Peripheral Firmware"

rdfs:seeAlso

  • Firmware (Individuals ), Firmware (Classes )
  • http://dbpedia.org/resource/Peripheral

Usage (18)

definition

  • "Cryptographically verifying peripheral firmware integrity."

kb-article

  • "# How it works
    Peripherial firmware is collected and analyzed on a host either periodically or on demand. This information may be collected for future comparisons.

    Changes in firmware hash values may indicate that the firmware has been tampered with or that firmware images are not maintained to current baselined versions, or even known vulnerable versions are deployed.

    ## Considerations
    * Trust baselines will need to be generated for specific devices
    * Changes to trusted configurations will need to be managed across the enterprise"

rdfs:label

  • "Peripheral Firmware Verification"

d3fend-id

  • "D3-PFV"

kb-reference

verifies

Usage (18)

rdfs:label

  • "Persistence"

display-order

  • 3

Usage (18)

rdfs:label

  • "Persistence Technique"

enables

Usage (18)

comment

  • "The terms location [here, a physical location] and place in geography are used to identify a point or an area on the Earth's surface or elsewhere. The term location generally implies a higher degree of certainty than place, which often indicates an entity with an ambiguous boundary, relying more on human or social attributes of place identity and sense of place than on geometry. The distinction between space and place is considered a central concern of geography, and has been addressed by scholars such as Yi-Fu Tuan and John Agnew."

isDefinedBy

  • http://dbpedia.org/resource/Location_(geography)

rdfs:label

  • "Physical Location"

Usage (18)

altLabel

  • "Computer Platform"

comment

  • "Platform includes the hardware and OS. The term computing platform can refer to different abstraction levels, including a certain hardware architecture, an operating system (OS), and runtime libraries. In total it can be said to be the stage on which computer programs can run."

rdfs:label

  • "Platform"

rdfs:seeAlso

  • http://dbpedia.org/resource/Computing_platform

contains

Usage (18)

definition

  • "Hardening components of a Platform with the intention of making them more difficult to exploit.

    Platforms includes components such as:
    * BIOS UEFI Subsystems
    * Hardware security devices such as Trusted Platform Modules
    * Boot process logic or code
    * Kernel software components"

rdfs:label

  • "Platform Hardening"

synonym

  • "Endpoint Hardening"
  • "System Hardening"

d3fend-id

  • "D3-PH"

enables

Usage (18)

definition

  • "Monitoring platform components such as operating systems software, hardware devices, or firmware."

kb-article

  • "Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity.

    Monitored platform components includes system files and embedded devices such as:

    * Kernel software modules
    * Boot process code and load logic
    * Operating system components and device files
    * System libraries and dynamically loaded files
    * Hardware device drivers
    * Embedded firmware devices"

rdfs:label

  • "Platform Monitoring"

d3fend-id

  • "D3-PM"

enables

Usage (18)

comment

  • "In computer science, a pointer is a programming language object, whose value refers to (or "points to") another value stored elsewhere in the computer memory using its memory address. A pointer references a location in memory, and obtaining the value stored at that location is known as dereferencing the pointer. As an analogy, a page number in a book's index could be considered a pointer to the corresponding page; dereferencing such a pointer would be done by flipping to the page with the given page number."

isDefinedBy

  • http://dbpedia.org/resource/Pointer_(computer_programming)

rdfs:label

  • "Pointer"

Usage (18)

definition

  • "Comparing the cryptographic hash or derivative of a pointer's value to an expected value."

kb-article

  • "## How It Works

    Pointer Authentication (frequently referred to as PAC, although the technique is properly Pointer Authentication) is a security feature to provide protection against attackers with memory read/write access. A Pointer Authentication Code (PAC) is a cryptographic hash or derivative computed on the value of a pointer and some additional context information which can then provide a cryptographically strong guarantee about the likelihood that a pointer has been tampered with by an attacker.

    Although pointers are 64 bits, most systems have a substantially smaller virtual address space, leaving unused bits in pointers that can store the value of the PAC, this can be done to reduce memory space requirements. One implementation is in ARMv8.3-A. A PAC is computed over the 64-bit pointer value and a 64-bit context value. Instructions are introduced to deal with pointers: one category to compute and insert the PAC into a pointer, another category to verify the pointer and invalidate the pointer if the PAC does not check, and a third category to remove the pointer and restore the original value without verifying.

    The ARM standard specifies a cryptographic algorithm called QARMA-64 (designed by Qualcomm) to compute the signature, although this algorithm is not required. The architecture provides for five secret 128-bit Pointer Authentication keys: two for instruction pointers, two for data pointers, and a general key for signing larger blocks of data.

    ## Considerations

    In the ARM implementation, the mechanisms above for manipulating PACS are provided, but it is up to the code developer to manage the keys for the cryptographic algorithm.


    A known potential limitation of PACs concerns signing gadgets. Under certain circumstances PACs can be bypassed by forcing the system to run a signing gadget which will allow the signing of arbitrary pointers to occur."

rdfs:label

  • "Pointer Authentication"

authenticates

d3fend-id

  • "D3-PAN"

kb-reference

Usage (18)

comment

  • "A PowerShell profile script is a script that runs when PowerShell starts and can be used as a logon script to customize user environments."

rdfs:label

  • "PowerShell Profile Script"

rdfs:seeAlso

  • https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.1

Usage (18)

kb-abstract

  • "PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

    Powershell can be used to hide monitored command line execution such as:

    * net use
    * sc start"

kb-author

  • "MITRE"

kb-mitre-analysis

  • "MITRE"

kb-mitre-analysis

  • ""

rdfs:label

  • "Reference - CAR-2014-04-003: Powershell Execution - MITRE"

kb-reference-of

kb-reference-title

  • "CAR-2014-04-003: Powershell Execution"

Usage (18)

rdfs:label

  • "Powershell Script File"

Usage (18)

comment

  • "A private key can be used to decrypt messages encrypted using the corresponding public key, or used to sign a message that can be authenticated with the corresponding public key."

rdfs:label

  • "Private Key"

rdfs:seeAlso

  • http://dbpedia.org/resource/Public-key_cryptography

Usage (18)

rdfs:label

  • "Privilege Escalation"

display-order

  • 4

Usage (18)

rdfs:label

  • "Privilege Escalation Technique"

enables

Usage (18)

comment

  • "A process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. A computer program is a passive collection of instructions, while a process is the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed."

isDefinedBy

  • http://dbpedia.org/resource/Process_(computing)

rdfs:label

  • "Process"

contains

process-image-path

process-user

Usage (18)

definition

  • "Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations."

rdfs:label

  • "Process Analysis"

d3fend-id

  • "D3-PA"

enables

Usage (18)

altLabel

  • "Process Text Segment"

comment

  • "A process code segment, also known as a text segment or simply as text, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image code segment. Includes additional sections such as an import table."

rdfs:label

  • "Process Code Segment"

rdfs:seeAlso

contains

Usage (18)

definition

  • "Comparing the "text" or "code" memory segments to a source of truth."

kb-article

  • "## How it works
    A process code segment is an executable portion of computer memory allocated to a particular process. Process Code Segment Verification implements verification to compare a process code segment to some expected value.

    ### Verification logic
    Verification can occur during application startup, or continuously during execution. The logic which verifies the process code may be separate in a third-party process, embedded in the application itself at compile time, or dynamically linked at runtime.

    ### System of record
    Examples of systems of record:

    * On-disk application binary files or checksums
    * Remotely stored binary data or checksums
    * Embedded binary data or checksums

    ### Post Verification Actions
    If the verification function determines a process code segment may have been altered, a capability may invoke Eviction techniques as **Process Termination** to end the current process, or **Executable Blacklisting** to prevent the executable from launching in the future.

    ## Considerations

    ### False positives

    False positives commonly occur in the case that the layout of code in the process segment is legitimately modified:

    * Operating system features or third-party security software may modify the layout of process code, for example in the defensive technique **Segment Address Offset Randomization**, or in the case that a module is rebased. In both of these cases, the alteration occurs before the code is fully loaded into memory, and it would be possible to avoid the false positive by securely feeding this constant offset and any relocation data into the verification logic.

    * Process code segments may be written to modify themselves or other process code segments; however, this goes against widely-accepted current practices in software development.

    ### False negatives

    False negatives can occur via alteration of the verification logic or source of truth, or insufficient verification logic.

    * Verification techniques which are executed only locally may be defeated by altering the local verification logic.

    * Verification that is run only on a recurring basis could be evaded if the malicious alteration is completed before verification is run.

    * Verification that requests an operation to be performed on a subset of the code segment could be evaded by performing that operation on a copy of the relevant bytes of the code segment.

    * Verification based on a system of record that can be altered may fail if that system of record is modifiable by a malicious user."

rdfs:label

  • "Process Code Segment Verification"

d3fend-id

  • "D3-PCSV"

kb-reference

verifies

Usage (18)

altLabel

  • "Environment Variable"

comment

  • "An environment variable is a dynamic-named value that can affect the way running processes will behave on a computer. They are part of the environment in which a process runs."

isDefinedBy

  • http://dbpedia.org/resource/Environment_variable

rdfs:label

  • "Process Environment Variable"

Usage (18)

definition

  • "Process eviction techniques terminate or remove running process."

rdfs:label

  • "Process Eviction"

d3fend-id

  • "D3-PE"

enables

Usage (18)

comment

  • "A process image is a copy of a given process's state at a given point in time. It is often used to create persistence within an otherwise volatile system."

isDefinedBy

  • http://dbpedia.org/resource/System_image#Process_images

rdfs:label

  • "Process Image"

contains

Usage (18)

definition

  • "Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors."

kb-article

  • "## How it works
    Process tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious.

    For example, Microsoft Word may block execution of any subprocess that is not in an approved path.

    ## Considerations
    * Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective.
    * Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc.
    * Zombie processes."

rdfs:label

  • "Process Lineage Analysis"

synonym

  • "Process Tree Analysis"

analyzes

d3fend-id

  • "D3-PLA"

kb-reference

Usage (18)